Who is Responsible for SaaS Security?

It seems simple, right? You pay for a cloud application to do something – or maybe it is free and you assume the vendor is responsible for the security of your data.

Turns out, it is not quite that simple. In fact, far from it.

Identity attacks – where the attacker somehow compromises an account, is a major source of data breaches. Different SaaS providers have different capabilities. Does the vendor, for example, offer MULTI-FACTOR AUTHENTICATION? Is it on by default or do you have to turn it on? Are strong passwords required? Or optional? Each provider is different.

What about when there is an incident? Who is responsible for what? Again, different providers operate differently.

What about other security features? Microsoft offers a feature called improbable login. This will detect and block logins when they see an account login from two cities hundreds or thousands of miles apart (say New York and Los Angeles) within a time that is “improbable”. Is it on by default? Available in the version of Office you are paying for? What is the action it is going to take? Who is responsible for that?

What about backups. Most providers have some form of backup but in most cases, it doesn’t come with any guarantees. If your data is important to you, make sure you understand what backup services your provider provides and what guarantees it may or may not come with.

Many SaaS providers have a shared responsibility matrix document. The document outlines what that provider is responsible for and what you are responsible for. If you don’t have one for your most important providers, ask and if they don’t have one, make your own.

If you need help with this or want a copy of our shared responsibility questions, please contact us. Credit: Helpnet Security

by