In the regulatory climate we live in today, by adopting Software-as-a-Service/Cloud based services, business are confronted with two equally challenging choices.
On the one-hand, SaaS provides companies with a controlled environment outside the control of their IT organization. The internal IT staff will have no access to the application, the data and infrastructure configuration that they should not have access to. Any/All access to the data is regulated through the application or the application interfaces (API). By appropriately modeling the access control and roles, any unauthorized access to data through the application could be prevented. With a comprehensive logging/audit trail framework implemented, every instance of data access is captured and reported. So in a way, by adopting SaaS companies get a majority of their IT controls implemented free.
On the other hand, companies adopting SaaS cannot blindly assume they have killed the IT controls monster. Most of the SaaS applications outside the top tier ones like Salesforce, RightNow and a few others, are being brought to market by small startups. Startups, by their very nature, are less process oriented and tend to operate with adhoc processes. An example of this was when I once worked with a IT Manager of a SaaS startup, who, upon my insistence, on governance processes, said to me “We are not Oracle (with reference to my previous employer), we are a small company and cannot afford to have elaborate processes” and continued to approve unregulated access to production application and customer data by his team. This is every customer CIOs’ nightmare.
While the customer data and access to it might be regulated from unauthorized company employees, in the absence of proper processes, the startup SaaS provider, might be opening up unregulated backdoor access to the same data. With resource turnover rampant in startups, this data now could be in the hands of many a employee who passes through the startup.
So what is a customer to do in this situation?
If you look through majority of the public instances of data leaks or compliance violations, you will see most of them involved employees of the companies. That should encourage companies to look at SaaS solutions. But as part of your initial contract and subsequent relationship with the SaaS vendor insist on transparency of the controls implemented .
Here are somethings to keep in mind
- Despite all the controls in place, it will your responsibility to include this as part of the regular IT audit, SOX-404 and the like that you conduct on a regular basis.
- If presented with a third party certification like SAS-70 by the vendor, insist on the actual controls that were reviewed as part of the certification. SAS-70 is merely a best practice reference and by itself is not full proof.
- Assign the responsibility to schedule and conduct periodic reviews to an employee and make it part of their job – think PMO office – risk management.