The past year was a learning curve on Cloud Computing, especially on SaaS providers. More and more ASPs are coming back rebranded as SaaS provider. As a security practitioner, it would be good to have a must have check list that we need to use to assess them.
I prepared the following must have check list based on Cloud Computing Alliance Guide (v1.0) document. “SaaS Provider” mentioned is the vendor providing the cloud computing service and “Consumer” is the client or end user of the “SaaS Provider”.
Governance and Enterprise Risk Management
- SaaS Provider must provide at least SAS 70 Type II or equivalent certifications (e.g. Agreed Upon Procedures) SAS70 Type 2 is a mandatory requirement if the service is a SOX critical or within financial statement audit scope. If Credit card information is involved, PCI DSS compliant certification is required.
- SaaS Provider must provide Consumer listings of all third party relationships that it have; and similar audit assurance requirements as above are applicable. The vendor is expected to obtain such audit assurance from 3rd party subcontractors and provide to service consumer upon request.
- SaaS Provider must divulge policies, procedures and processes comprising its Information Security Management System (ISMS)
- Consumer must have authority to define Service Level Agreements with SaaS Provider
- SaaS Provider must incur all costs for both an expected and unexpected termination of the relationship and for an orderly return or secure disposal of Consumer assets.
- All of Consumer’s data must be destroyed from the SaaS Provider systems and environments upon the termination of the contract/services and upon completion of the transition and conversion to Consumer’s chosen platform and receipt of confirmation of the same from Consumer’s executive sponsor and/or legal counsel.
- Consumer information assets must not be used for secondary purpose including use of Consumer asset as test data.
- SaaS Provider must host all Consumer information assets in a country that Consumer is confortable with (based on regulations that Consumer is subjected to).
- SaaS Provider must accept all costs related to data breaches if possible including recovery costs
- SaaS Provider must not share Consumer information assets with a third party or government entity without prior consent.
- Consumer must have escrow arrangement of SaaS Provider software and applications
- Consumer must have authority to define roles and responsibilities related to Electronic Discovery, including such activities as litigation hold, discovery searches, who provides expert testimony.
- Compliance and Audit
- Consumer must have authority to define type of control that will be applied to locations where data will be stored.
- Consumer must have authority to audit SaaS Provider on demand
- Consumer must have authority to perform external risk assessments, including a Privacy Impact Assessment on the SaaS Provider
Information Lifecycle Management
- SaaS Provider must retain and destroy Consumer information asset per Consumer security policies and standards.
- Consumer must have authority to perform regular backup and recovery tests to assure that logical segregation and controls are effective
- All regular backup must be received at a data warehouse owned by Consumer.
- SaaS Provider must have logical segregation of duties of personnel.
Portability and Interoperability
- Consumer must receive regular data extractions and backups to a format that is not proprietary and is reusable by Consumer
- Traditional Security, Business Continuity and Disaster Recovery
- Consumer must have authority to define business continuity and disaster recovery requirements
- Consumer must have authority to perform onsite inspections of SaaS Provider’s facilities whenever required
- Consumer must have authority to inspect SaaS Provider disaster recovery and business continuity plans
Data Center Operations
- SaaS Provider must demonstrate comprehensive compartmentalization of systems, networks, management, provisioning and personnel.
- Consumer must have authority to perform test on SaaS Provider’s customer service function regularly to determine their level of mastery in supporting the services.
Incident Response, Notification and Remediation
- Consumer must receive application layer logs to provide granular details of incidents specific to Consumer.
- SaaS Provider must at least have application level firewalls, proxies and other application logging tools that are key capabilities currently available to assist in responding to incidents in multi-tenant environments.
- SaaS Provider must use third party monitoring tools such as HP Cloud Assure or McAfee VA
- Consumer must receive timely notification of any related incident at SaaS Provider including change in personnel working on Consumer assets.
- Consumer must have authority to conduct acceptance test on any new changes introduced by SaaS Provider
- SaaS Provider must have separate environment for development, testing and production deployment of applications.
- SaaS Provider must always maintain an application instance for Consumer logically segregated from other instances of SaaS Provider customers.
- SaaS Provider must construct a registry of application owners by application interface (URL, SOA service, etc.)
- Consumer must receive third party binary code analysis report (e.g. Veracode report) on SaaS Provider application
Encryption and Key Management
- Consumer must have authority to stipulate encryption requirements (algorithm, key length and key management at a minimum) for any data classified as restricted or regulated.
- Cryptographic keys used by SaaS Provider must be hosted by a third party that Consumer is comfortable with.
Identity and Access Management
- SaaS Provider must use standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation
- SaaS Provider must support strong authentication natively or via delegation.
- SaaS Provider must support robust password policies that meet and exceed Consumer security policies and standards
- SaaS Provider must provide details of storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries
- SaaS Provider must provide the list of storage geographical location.
- SaaS Provider must provide details of controls that are used during storage provisioning to partition multiple customers
- Data search capabilities of SaaS Provider must not violate Consumer information classification and handling security standards.
- At storage, SaaS Provider must utilize strong storage encryption that renders data unreadable when storage is recycled, disposed of, or accessed by any means outside of authorized applications.
- SaaS Provider must use unique encryption key for Consumer purposes to encrypt Consumer information assets or data.
- SaaS Provider must meet Consumer data retention policies for long term archival. Decryption and associated technologies should still be useable on the data after several years later.
- Virtualized operating systems of the SaaS Provider must be augmented by third party security technology to provide layered security controls and reduce dependency on the platform provider alone.
- SaaS Provider must assure secure by default configurations by following or exceeding available industry baselines for all its VM platforms.
- SaaS Provider must monitor or enable Consumer to monitor traffic crossing VM backplanes, which will be opaque to traditional network security controls.
- Administrative access and control of virtualized operating systems is crucial and SaaS Provider must include strong authentication integrated with enterprise identity management, as well as tamper proof logging and integrity monitoring tools.
Feel free to post your thoughts or suggestions. Don’t feel shy 🙂
UPDATE: January 2010 – Cloud Security Alliance have a new version of the guide. I will review the document shortly to make necessary changes soon.
The list is interesting. The only problem or lets say concern I have is will any SaaS / cloud computing provider be able to comply with this?
Or in other words have you successfully evaluated any any cloud computing provider against this checklist.
I would be interested to know them…
Thanks and Regards
I agree…the list is interesting, but also very one-sided and not grounded in reality.
There is no way any SaaS is going to agree to all of those points.
I have tried using this checklist to conduct couple of vendor assessments. As some of you said, this is an exhaustive one and a SaaS vendor may not be able to meet all of them. Some of the requirements are achieved through contracts. Those few items that cannot be complied may need to be accepted as risk.
The vendors I have met so far are willing to meet all of them. They may need some time to achieve the target – they are learning as the industry grows. From the vendor’s point of view, wouldn’t they want to appear as a secure service for their customers?