Securing the government cloud: Tips for screening SaaS products

This year’s Wannacry ransomware attacks may have served as “a wake-up call” for governments, but security experts already had plenty of reasons to be on high alert.

Every day seems to bring a new report of mass identity theft or a cyberattack on sensitive infrastructure. And those are just the threats that make the news — who knows how many more go unreported?

Assessing the strengths and weaknesses of your organization’s security has never been more important. But it’s not always easy, especially with software as a service (SaaS) products.

Most SaaS vendors rely on cloud service providers like AWS and Azure for their cloud infrastructure, and some try to pass off these providers’ security practices as their own. However, to provide support, develop their product, and aid their business processes, vendors may also need to store everything from contracts to emails to confidential client data on local servers or employee laptops. To thoroughly screen a SaaS product, you need to pay close attention to the vendor’s own security and compliance policies and procedures.

One simple way to do this is through a questionnaire. A well-drafted questionnaire can facilitate conversations about security certifications, data encryption and ongoing risk assessment, and how these will be handled once you turn your data over to the vendor.

Some topics and specific questions to consider:

Internal governance

Questions about a vendor’s internal governance may reveal whether they have a comprehensive security program or approach it in an ad hoc manner. You should ask about the vendor’s established policies and procedures on information security, whether the vendor performs security risk assessments to identify and measure risks, and if so, how often. Find out if they have a dedicated role for information security and compliance, and if so, who that person reports to in the organization.

Information security

Naturally, you’ll want to dig into specific security practices. You can find plenty of resources online to help develop these questions. But you should certainly ask about the use of strong multifactor authentication for all elevated or privileged administrator accounts. Also inquire into password policies, as guidance on password security has evolved, and outdated password policies may indicate a lack of awareness of most recent best practices. And don’t forget human bugs. How does the vendor’s security team address training and awareness?

Independent assurance and incident response

Find out what security and privacy certifications the organization — not its cloud provider — has acquired. AWS’s cloud compliance page has a lengthy list you can use for checkboxes. Two industry-leading options are a SOC 2 Type II certification or an ISO 27001 certification from an accredited provider. Be sure to ask about their practices for independent third-party auditing, vulnerability scanning and penetration testing. Many of these independent certifications are voluntary, which means the vendor has opted in and exposed their security practices and procedures to third-party review.

If you are dealing with PHI, you will need to execute a Business Associate Agreement (BAA) with the vendor. It’s important to obtain assurance that the vendor complies with the Health Insurance Portability and Accountability Act (HIPAA) security and privacy rules. Check whether the vendor has completed a HIPAA self-evaluation or invited a third party to complete a HIPAA compliance evaluation. Keep in mind there is no certification recognized by the U.S. Department of Health & Human Services (HHS), whose Office of Civil Rights (OCR) enforces the HIPAA security and privacy rules. Security-savvy vendors will know this and be able to provide assurance regarding their HIPAA compliance practices.

Finally, ask how the vendor responds to security incidents, and how they work with clients if an incident occurs. Rather than requiring a set notice period in the event of a suspected incident, confirm that your vendor has a defined procedure in place with concrete escalation paths, and includes a trigger in the contract for notification. This will be important information for your own incident response plans, as well.

It all might sound like a lot to think about, but the stakes for data loss are high, and half-measures won’t protect you. With suitable care and proper attention, you can maintain strict security and confidentiality, stay current with the latest risk-management practices and keep yourself — and your agency — out of the headlines.