Previously, we have discussed a few Secrets of SaaS Security, but I wanted to dive a little deeper on the topic of security, this time with a goal of creating a preliminary cloud risk assessment for your organization.
Risk is what keeps you up at night. In some cases you welcome it - maybe you'll be skydiving or snorkeling with sharks or investing in a racehorse - but most of the time you are trying to prioritize, normalize, mediate, overcome, or wipe out risks. If you were out on the Savannah in prehistoric times, you had to balance the risk of wild animal attack with the need for water. Through careful risk assessment you determined a strategy - maybe you chose a lazy time of day, or maybe waited until the lion was otherwise engaged - that kept you alive and hydrated. Risk assessment is as old as consciousness - it's more than being human, it's part of being alive.
When assessing risk, best practices suggest that you remove as much emotion from the analysis as possible. Insurer's actuarial tables are a prime example of this art - by breaking down all of the risk factors into a grid, normalizing and averaging those factors, and then checking vs. the bell curve - we have a much safer industry, fiscally speaking. The cost-to-insure is no longer a personal decision but derived from data, and will work out in the companies favor over the long run.
This primacy of data over emotion is a great starting place for discussing your current SaaS security situation.
Cloud Risk Assessment
We will begin our cloud risk assessment by reviewing, without judgment, all of our cloud-based apps and services - and maybe even a few in-house solutions while you're at it - through the following lenses:
- Here are many of the types of data that may be stored by any given provider. Some are perhaps more of a core-business-risk than others, but we're not here to judge - we're here to understand and acknowledge.
- Company Employee Information - salaries, tax information, contact information, financial information
- Customer Information - contact information, process and data information, business intelligence
- Intellectual Property - data stores, analytics processes, content, catty remarks in chat or email
Log Information - logins, searches, history - remember Google, Facebook, etc. derives most of their value from this
And a couple of key questions:
- What is involved in transferring this data en masse?
- What happens if this data is lost?
- How is this data encrypted - during transfer, at rest, and in backup?
- What data can/can not be transferred via APIs?
Has the application gone through vulnerability testing for the wide array of hacking methods, like
- SQL injection and wildcards
- weak file extensions
- cross-site scripting
- brute force methods, etc.?
Will that testing be ongoing? Will the results of that testing be transparent to the customer?
Also, on the application risks, We've discussed Identity and Access Management elsewhere.
Last, but certainly not least, what happens to your business if you cannot use this solution?
- Is it considered business critical?
- What compliance issues may be at risk?
- What is the up-time SLA?
- Is there 24-hour support?
- Where is the app physically hosted? The data?
When performing a cloud risk assessment for your business, for each cloud service or app you should examine the data security, application defense and the risks to your business should the service be unavailable.