Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/7/2021
01:00 PM
Viral Trivedi
Viral Trivedi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Are Security Attestations a Necessity for SaaS Businesses?

Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?

In 2011, Silicon Valley tech gurus predicted that software will eat the world. Today, we are living in that future, as most businesses use cloud-deployed software. It's not just in marketing or finance; IT security is also awash with software-as-a-service (SaaS). For perspective, nearly 90% of organizations use SaaS apps to run their businesses.

Related Content:

11 Security Certifications to Seek Out This Summer

Special Report: Building the SOC of the Future

New From The Edge: An Interesting Approach to Cyber Insurance

SaaS tools are popular because of advantages such as faster deployment time, minimal management hassles, no upfront hardware costs, and easy scalability. However, many business customers have deep concerns regarding the security of cloud apps.

Most organizations ask potential SaaS vendors to provide their compliance credentials, and some companies decline to even sit for a demo call if a SaaS vendor is not ISO certified or SOC 2 compliant.

Vendors, especially startups, have a somewhat different perception. Most bootstrapped startups either completely gloss over security attestations or get certifications as an afterthought. This is primarily because these certifications are expensive. Startups would rather invest money on product development or customer acquisition to make a profit. This got me thinking about a few questions:

  1. Are security attestations becoming business imperatives, or are they merely token additions on the list of regulatory requirements?
  2. If they're becoming the new business norm, which security attestations are a must?
  3. How can you validate SaaS startups that claim they are secure?

To get answers to these questions, I turned to my peers in the cybersecurity industry. I talked to several experts and recently ran a poll on LinkedIn to see what they thought about this topic.

The poll is closed, but you can still add your comments.

Understanding Security Certifications
The most common security certifications are: 

  • ISO 27001 tells which specific processes, services, systems, or departments you want to protect as defined by your information security management system policy.
  • CIS Controls are a prescriptive, prioritized, and simplified set of cybersecurity best practices to help fortify your cybersecurity. You are usually required to map your CIS Controls to ISO 27001.
  • NIST offers a combination of existing standards, guidelines, and best practices. It is a prerequisite for achieving HIPAA or FISMA compliance.
  • Systems and Organizations Controls 2 (SOC 2) are criteria for managing customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.

CIS, NIST, and ISO 27001 are good starting points for most SaaS startups, but they don't give the complete picture of an organization's overall security posture.

For example, if you're considering buying a certified app from a SaaS vendor, you still have to do the due diligence and audit other aspects of their DevSecOps. That kind of double auditing is a little extreme in the fast-moving SaaS world. Also, these certifications are only as good as the enterprise following them outside the audit cycle. Another caution is that some certifications are symbolic of compliance. Many security leaders have been sounding the alarm that compliance doesn't guarantee security.

CIS, NIST, and ISO 27001 are great at the program level and are good, marketable endorsements; however, they often have little impact on an organization's actual security hygiene.

What is the value of being SOC 2 certified? First, it satisfies compliance with many security audits. It also assures that SaaS service providers handle users' private data securely. It's important to know that, unlike ISO 27001, SOC 2 reporting is not a certification. It's an attestation based on the examination service performed under the AICPA standards. SOC 2 offers wider coverage of your security status and meets ISO 27001 criteria by default. However, if you want ISO 27001 certification on top of SOC 2 reporting, you can do so at minimal additional cost.

There's one small catch if you are planning to get SOC 2 reporting for your organization. Most businesses think SOC 2 is the way to go for cloud security platforms. While that's true, I recommend SaaS companies become certified for SOC 2 Type 2. SOC 2 Type 1 is good when undergoing SOC 2 for the first time. But Type 1 certification won't provide the appropriate level of assurance over the operating effectiveness of controls like a SOC 2 Type 2 over the long term.

The SOC 2 Type 2 report covers security, confidentiality, availability, processing integrity, and privacy. It indicates maturity and is great for solution and service-level implementations.

From a client's standpoint, contracting with a SaaS vendor is easy if the latter can prove its SOC 2 readiness. SOC 2 attestation signals that a company is serious about handling customer data, and it attracts more customers and investors.

If you're a SaaS company evaluating SOC 2 certification, consider starting to create a strategy for implementing security controls and invest in your security awareness program. This will help you foster robust security by design without wasting time and resources.

A Final Word of Caution
Compliance is a formidable business driver; it induces trust and confidence and helps you to stand out in the highly competitive SaaS market. However, security attestations only go so far. Many companies victimized by security breaches have multiple security certifications and attestations.

Compliance and attestations alone won't protect you from a security breach if your vendor partners turn out to be the weak links in your SaaS security chain. If you want to assess the security posture of a SaaS company, talk to their security leader. Ask questions, such as:

  • Do they have a dedicated security leader or a virtual chief information security officer (vCISO)?
  • Who owns the security of their SaaS ecosystem?
  • How frequently do they perform penetration testing?
  • What is their incident response plan?

You will probably learn more about the organization's security posture from that conversation than from their SOC 2 or compliance reports.

Viral Trivedi is the Chief Business Officer at Ampcus Cyber Inc—a pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34362
PUBLISHED: 2021-10-22
A command injection vulnerability has been reported to affect QNAP device running Media Streaming add-on. If exploited, this vulnerability allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of Media Streaming add-on: QTS 5.0.0: Media ...
CVE-2021-41127
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
CVE-2021-41169
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
CVE-2021-27746
PUBLISHED: 2021-10-21
"HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"
CVE-2021-36869
PUBLISHED: 2021-10-21
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.