Rightfully so, both business and end users are concerned about storing some of their personal data in the cloud. Whether it is part of a transaction, or core to the service provided by the SaaS provider, when developing SaaS offerings companies should take into consideration that they have to earn the trust of their customers.
In 2012, Arxan published its report "State of Security in the App Economy - Mobile Apps Under Attack", indicating that more than 90% of top paid mobile apps have been hacked: 92% of Top 100 paid apps for Apple iOS and 100% of Top 100 paid apps for Android were found to have been hacked.
The majority of businesses have rightful concerns moving to the cloud. The cloud is not Fort Knox, nor a fully secured medieval castle, not even anything close to a bank vault found on the corner of a street. The cloud is everywhere and has been built upon higly secured environments in well protected datacenters around the globe. As a result, there could not be a bigger contrast with ubiqitous computing and pervasiveness than that security and cloud.
Nebucom will provide some guidance to companies developing a SaaS portfolio. This guidance has been collected and revised by a group of Security Experts with an interest in ensuring the SaaS customer (you, the company aiming to provide Software as a Service in the cloud) tob e better informed when making selecting between various Cloud Providers.
Moving into the cloud today, will result in a series of considerations on
1. Overall Security & Incident Response
2. Privacy / Data Protection.
3. Service Level Agreements (SLA) and service monitoring
For SaaS specifically some additional guidance can be given over and on top of the infrastructure and general security.
1. Multi-tier security architecture
2. Secure Coding and Security Testing Practices
The aim of this guidance in the end is to provide a reasonable level of trustworthiness in cloud, by pointing out to some challenges, some best practices, the existence and sense of standards and certification schemes. As a result, the major bias is that we start from the assumption that a cloud will be the infrastructure for Software as a Service.
Basically, you should be scrutinizing the security measures and capabilities of your (potential) SaaS provider. Depending on the size and focus of the cloud provider, that in itself might become a challenge.
The best way to start is to know the questions you need to ask and what to look for in their answers. You should be given guidance to understand and explore the multiple security layers of their cloud-based sharing service, including:
• What to look for in an information security program
• The importance of application architecture for a secure environment
• How to think about data security
• Correctly assessing systems and network security
• Key areas to focus when determining data center security
Collect your answers on a personal basis, and evaluate your opinion on the Nebucom benchmarking platform. By answering the following survey, you will be ensured, no to have missed any question, but also given the results of your evaluation in relation to various other people who have been evaluating cloud providers on the terms of security.
We help in providing some transparancy, without laying out the details of your requirements, nor the security measures of the cloud providers.
Benchmarking - Survey
The following survey assumes you have questioned your SaaS provider in the cloud, and asks you about your evaluation of the guidance and answers you’ve received.
This survey is done in an anonymous way, and results will be published anonymously. We do ask you for your contact details in order to ensure that we can contact you, to check whether these data have not been put in by the cloud providers themselves. With the additional contact details, we might also provide you with some additional guidance on your SaaS plans.
I. Information Security Program
1. What is your Incident Response Plan?
2. What are your staff’s qualifications?
3. What is your InfoSec organizational structure?
4. Describe your InfoSec policies.
6. Do your employees acknowledge policies or sign confidentiality agreements?
7. What is your change control process?
8. What certifications or 3rd party attestations do you have?
9. Do you have a Disaster Recovery Plan?
10. What are your notification procedures?
II. Application Architecture and Security
1. Describe your application’s architecture and different tiers.
2. Describe your coding practices.
3. How do you test your application?
4. Do you perform web application vulnerability testing?
III. Data Security
1. How do you protect user authentication information?
2. How are User Files stored? What level of encryption?
3. Is the system multi-tenant?
4. How is account information stored?
5. Are User Files accessed by the vendor?
6. Who has access to User Files?
7. When are files deleted?
8. How is disk media destroyed when decommissioned?
9. How is data transferred (both account information and User Files)?
10. Is data backed up or copied?
IV. System & Network Security
1. Who has access to productions systems?
2. How do personnel authenticate? How do you manage accounts?
3. How are password policies enforced?
4. Is access to the system logged?
5. How often do you patch production systems?
6. What are the standard builds based on?
7. How is your production network segmented from your corporate, QA and development environments?
8. Do you perform vulnerability scans and penetration testing?
9. What type of firewalls do you use?
10. How are system/network monitoring, logging and alerting setup?
V. Data Center Security
1. What are the physical access requirements for the data center?
2. How is the data center access list maintained and controlled?
3. Who has access to the data center?
4. Is data center physically monitored (cameras, guards, etc.)?
5. Where are data centers located?
6. What redundancy and availability does the data center provide?
7. What type of certification does the data center have?