As enterprise applications and data continues to move towards software as a service (SaaS), the need to evolve security controls and strategies has become increasingly apparent. New developments are now required to access and store data and applications. An evolving enterprise IT landscape calls for an evolving security strategy to keep pace with it.
In a recent podcast, information security analyst, Jim Brennan, detailed how Intel’s development of a “SaaS Security Playbook” has given risk managers a foundation for running the same “plays.” By creating a guide for security stakeholders, your organization can ensure consistency in security strategy and responses.
The Right Security Framework
By adopting the Open Data Center Alliance (ODCA) security framework and security assurance levels of bronze, silver, gold, and platinum, businesses can identify and focus their limited security resources on the most sensitive parts of the business. The ODCA security framework also offers recommendations on the type of security assurances your business should require from providers at each tier. Additionally, it details requirements for access control, encryption, data masking, and more.
Know Thyself: Application Inventory & Insight
According to Brennan, one of the first steps toward creating a SaaS security playbook is to take stock of which services have been migrated to the cloud, and which are still hosted in-house. During this inventory process, your team should create documentation for all SaaS providers, tenants, and enterprise controls. By conducting a thorough inventory of existing services and their security controls, your team can take a holistic and informed approach to implementing appropriate security measures for the kinds of data and applications that are being hosted in the cloud.
Choosing The Right Partners
A huge part of a successful security strategy is to keep outside providers accountable. Since the ecosystem is still evolving, many SaaS products are still maturing. It’s important to carefully vet and scrutinize new providers before aligning with them. Security is an ongoing process — your security team should continually audit all SaaS providers and reassess risks associated with them.
Brennan anticipates a lot of consolidation in the SaaS space over the next five to 10 years, which is why he recommends signing short-term contracts with your providers. If your roadmaps no longer align, your IT organization should be able to quickly move from one provider to another.