Working Draft

CSA Standard

CSA 11001(wd) : 2018
SaaS Governance Best Practice for Cloud Customers
SaaS Governance
CSA Standard
Working Draft
Warning for Drafts

This document is not a CSA Standard. It is distributed for review and comment, and is subject to change without notice and may not be referred to as a Standard. Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation.

© 2018 Cloud Security Alliance, LLC.

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from the address below.

Cloud Security Alliance

2212 Queen Anne Ave N
Seattle
WA 98109
United States of America

copyright@cloudsecurityalliance.com
www.cloudsecurityalliance.com

 


 



Foreword

The Cloud Security Alliance ("CSA") is global non-profit organization with the aim to facilitate and protect user information in the cloud and its ecosystem.

The procedures used to develop this document and those intended for its further maintenance are described in the CSA Directives.

In particular the different approval criteria needed for the different types of CSA documents should be noted. This document was drafted in accordance with the editorial rules of the CSA Directives.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CSA shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the CSA list of patent declarations received (see www.cloudsecurityalliance.com/patents).

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

This document was prepared by the Cloud Security Alliance SaaS Governance working group (SaaS Governance).

The SaaS Governance working group aims to benefit all parties in the Software-as-a-Service (SaaS) ecosystem by supporting a common understanding of SaaS related risks from the perspectives of the cloud customer and cloud service provider.

The workgroup would like to especially thank the following individuals for their contributions to this document:


Introduction

Background And Context

The SaaS Governance Best Practice for SaaS Customers is a baseline set of fundamental SaaS governance practices for SaaS Customers. It enumerates and considers risks during all stages of the SaaS adoption lifecycle and take into account the SaaS usage lifecycle. The best practice also provides mitigation measures from the cloud customer’s perspective.

The Importance of SaaS

When a cloud customer talks about cloud services, most are speaking about Software-as-a-Service (SaaS) services.

SaaS is by far the most prolific cloud service model compared to PaaS and IaaS. According to Gartner Research, SaaS covers 76.2% of cloud spending (total USD 113.5Bn in 2016, retrieved 2017/03/30). SaaS also covers over 60% of cloud workload, and is increasing in share [Cisco]. In addition, it is estimated that there are over 12,000 SaaS vendors worldwide compared to less than 500 IaaS and PaaS vendors combined [add reference].11

SaaS has penetrated virtually all organizations mainly due to the potential business benefits, including efficiency and agility:

  • High adoption rate: 84% have adopted at least one SaaS organization-wide [CSA research].

  • 25% SaaS adopters are heavily reliant on SaaS [CSA research].

  • SaaS adoption is increasing year by year [Computer Economics 2015, 2016]

Common Reasons For SaaS Adoption

  • Outsourcing responsibilities: Typically SaaS CSPs manage all aspects of an application, including security, on behalf of the cloud service customer. This includes capabilities that may be outside the customer’s core skillset/competencies, such as access ubiquity, security and business continuity (e.g., backup, recovery). This allows the SaaS customer to better focus on its own core abilities.

  • Pervasion of consumer SaaS products: Some SaaS services provide functionality for both consumer and corporate usage, e.g., Dropbox, Google Mail or Office 365. Since these products are already widely used by consumers, their de-facto standard status carries over to the corporate world where employees are readily willing to adopt them within organizations with little to no learning requirements as they are already familiar with the SaaS service.

  • Potential cost-savings: Short-term usage without licensing investments offer significant cost-saving opportunities.

  • Ease and speed of deployment: SaaS services make it easy for organizations to quickly adopt new applications, allowing SaaS customers to collaborate with customers, suppliers and subsidiaries without technical hurdles and delays.

  • Transfer of CAPEX to OPEX: Many organizations prefer using SaaS services instead of investing in in-house resources to prevent increasing capital expenditure (CAPEX).

SaaS services often represent the weakest link in security

SaaS adopters experience SaaS specific security incidents

Over 77% organizational SaaS adopters have experienced SaaS security incidents. Close to 60% have experienced unwanted sharing of credentials or data.

The nature of SaaS services make them often the weakest link in an organization’s portfolio.

While SaaS CSP’s typically manage almost all aspects of security of a SaaS service, but it is ultimately the responsibility of the cloud customer to ensure that the security of the service aligns with the customers' organizational security requirements.

SaaS Are Black Boxes

Data is at the center of SaaS. When a potential SaaS customer is evaluating a SaaS service, one has the responsibility to assess the SaaS service and its provider very critically in terms of its security and compliance capabilities.

Organizations using SaaS will no longer own parts of the software and hardware on which their business operates, and therefore are heavily reliant on the CSP for faithful, effective and accurate processing of its operational needs.

Depending on the services they outsource to the cloud, organizations will rely on the cloud providers to offer the latest versions of software applications, the production of audit trail logs and to make data access transparent.

Transparency has not been a strong feat of SaaS systems. Since each SaaS is made up of a diverse architecture, it is also difficult for a SaaS provider to make every single facet of their operations transparent and accessible to the SaaS customer. [therefore best practices are necessary.]

Lack of visibility for SaaS customers [CSA survey]

  • 28% have no access into user logins

  • 29% have no audit logs

  • <49% know [where, when] sensitive data is accessed

Without transparency to the data and operational details of a SaaS service, the SaaS customer is left with limited control and insight on own data hosted at the CSP.

This limitation is the number 1 security and privacy concern for business decision-makers in SaaS adoption.

SaaS architecture complexity

The SaaS landscape is a diverse one and therefore poses diverse risks to a SaaS customer.

SaaS typically involves the other cloud service models to facilitate a SaaS application. Each SaaS service may contain multiple components and layers operated by the same or different entities.

Different from IaaS providers, SaaS services range from running everything themselves to relying on a mix of IaaS, PaaS and SaaS providers.

Different architectures impose different responsibilities and implications to the SaaS customer.

The level of control over its data that a customer has in the SaaS environment is very different from the other cloud service models such as IaaS and PaaS.

SaaS service authority and ownership

A SaaS service can outsource a majority of its many components.

Many SaaS cloud providers lack the technology or resources to operate the physical side of the infrastructure of their cloud environment.

Instead, they outsource the infrastructure to a third-party CSP such as Microsoft Azure, Google Compute Engine or Amazon AWS.

This provider-of-the-provider arrangement can make it challenging for the cloud service customer to keep track of regulatory compliance requirements, data incident reporting, contractual liability and so forth.

SaaS presents wide-ranging and enormous risks unless mitigated

SaaS poses a much higher risk than traditional on premise applications. SaaS is a black box, we don’t know what the application stack looks like, we don’t know where the application is deployed, we don’t know where our data is housed and we don’t know how long the CSP its supply chain is.

  • Compared to PaaS or IaaS, SaaS potentially provides a larger attack surface accessible by more threat agents.

  • SaaS CSP supply chain may be deep and broad, and could traverse multiple jurisdictions. [⇒ more exposure]

  • A SaaS service may seem simple but often provide a broad array of services under the same product banner, such as providing API access, micro services and mobile client access. [⇒ Larger attack surface]

  • The underlying application stack of a SaaS can be very deep — relying on multiple virtualization and dependent technologies, including development libraries, operating systems, container images, virtual machines as well as physical machines. [⇒ more attack vectors]

As an analogy, a IaaS or PaaS may be a car parts manufacturer, where each manufactured part is easy to understand and simple to test for failure. There could be simple statistics such as MBTF that describe predictable behavior of a part. On the other hand, a SaaS service serves both the integrator and the developer role, by integrating multiple underlying cloud vendor as well as layering its own intellectual property around it. Resulting failures can be caused by any integrated service or component, and could be complex to investigate and understand. Its dependency of different components is commonly unknown to the SaaS customer and therefore hard to act upon as a customer.

The result is that any security incident on a SaaS provider may critically impact its SaaS customers directly, and from the SaaS customer perspective, it is necessary to mitigate such risks.

The important part is that a SaaS services are built for a specific purpose, and this purpose is often directly linked to business goals. Business goals are exactly what malicious agents target for. This means that the type of data stored in a SaaS account is is often well known to users and attacker alike, and can therefore specifically be targeted by malicious agents.

(⇒ More threat agents)

Most SaaS providers lack proper security expertise

  • Many SaaS providers are "born in cloud": Low entry barriers due to proliferation of IaaS / PaaS services [WIP ref]

  • Security comes with a cost that most SaaS don’t want to afford: Security engineers command almost a 10% premium over other IT jobs [WIP ref]

  • Shortage of security skillsets: 1.5m security personnel shortfall in 2019; 80% employers had difficulty finding qualified cybersecurity expertise [WIP ref]

  • SaaS security is an afterthought: Providers seek the cost benefits of being in the cloud without considering cloud threats [WIP ref]

SaaS Governance Best Practice for Cloud Customers

1.  Scope

This document:

2.  Normative references

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27002, Information technology — Security techniques — Code of practice for information security controls

CSA CCM 3.0.1, Cloud Security Alliance Cloud Controls Matrix, v3.0.1

3.  Terms, definitions, symbols and abbreviated terms

For the purposes of this document, the following terms and definitions apply.

3.1. Terms and definitions

3.1.1 

SaaS

Software-as-a-service

cloud service model where a software service is being offered via cloud where its customers are only given access to the logical service

3.1.2 

SaaS provider

cloud service provider that provides a SaaS (Clause 3.1.1) service

3.1.3 

SaaS customer

An entity that utilizes a SaaS service (Clause 3.1.4).

3.1.4 

SaaS service

A CSP service that is offered under the SaaS (Clause 3.1.1) model.

3.1.5 

SaaS service component

component of a SaaS service (Clause 3.1.4) that itself can be considered a service under a narrower scope.

3.2. Symbols and abbreviated terms

For the purposes of this document, the following abbreviations apply.

CSP

Cloud Service Provider

MBTF

Mean Time Before Failure

4.  Sector-specific concepts for SaaS customers

4.1. Overview

SaaS customers should assess and mitigate information security risks raised by the usage of SaaS services. This document provides implementation guidance based on CSA CCM 3.0.1 and ISO/IEC 27002 and provides additional controls to address SaaS-specific information security threats and risks.

Users of this document should view its content according to the CSA CCM 3.0.1 and ISO/IEC 27001.

4.2. Using this document

This document has a structure similar to that of ISO/IEC 27002.

In cases where objectives and controls specified in ISO/IEC 27002 are applicable without a need for any additional information, only a reference is provided to ISO/IEC 27002. Additional controls and associated implementation guidance applicable to SaaS customer security management practices are described in Appendix A.

In cases where controls need additional guidance applicable to SaaS customers, this is given under the heading SaaS customer implementation guidance.

4.3. Approach

SaaS requires a different security governance mindset. Due diligence starts at a high level, and works itself down to the details.

An organization should first seek a framework that suits the organization’s security and business needs. That framework will shape the policies, processes and staff that make up the security architecture.

Second, assess the supply chain of the CSP by method of interview or analyzing self-disclosures. Ensure you are aware whether the offered service is a shared tenant one or if your organization gets a dedicated single tenant environment.

Traditionally security organizations would protect the data by functioning as a gatekeeper.

With SaaS, organizations must rely more on monitoring and shepherding.

4.4. Structure

We define three necessary components of SaaS security: process, platform and application. Integrated security for SaaS can be realized by gluing process security, platform security and application security together.

Process security protects the integrity of process activities, to ensure the input and output of processes are not easily compromised. These are the managerial aspects including policies and procedures to ensure that an organization’s processes are consistent.

Platform security deals with the security strength of the platform, the underlying dependencies of a SaaS service. These include the infrastructure the SaaS service runs on, its suppliers,

Application security deals with security of the SaaS application itself. A SaaS application can only stay secure if itself does not contain exploitable vulnerabilities. [Need to reword.]

In conjunction to the three factors, additional security controls can be integrated to the above approaches on a horizontal manner.

Sector-specific security controls are commonly used to satisfy privacy, governmental or financial compliance. Examples are CSA CCM 3.0.1, HIPAA and PCI-DSS. These requirements are often vertically-focused that apply across three SaaS security areas.

4.5. Lifecycle considerations

The SaaS adoption and usage lifecycles.

4.5.1. Adoption lifecycle

The SaaS adoption lifecycle is composed of 4 steps:

  • Evaluation

  • Adoption

  • Usage

  • Termination

4.5.2. Usage lifecycle

The SaaS usage lifecycle is composed of 4 steps:

  • Eligibility: Should this person be a user of this service

  • Provisioning: What needs to be done to add this person to the service?

  • Monitoring: Is this person actually using the service, in a normal manner?

  • Deprovisioning: How do we remove this person from the service?

The SaaS usage lifecycle helps protect against daily operational risks and the weakest link: the human factor.

The SaaS usage lifecycle maps out how your organization engages the CSP and the SaaS service.

It is important that you understand and monitor the SaaS usage lifecycle in its entirety. It can be very easy to get drawn in to focusing all your efforts in optimizing one stage of the lifecycle, such as onboarding, when doing so won’t help the business to achieve its desired outcomes more easily or quickly.

5.  Information security policies

SaaS Customers should develop a SaaS security strategy and build a security architecture that reflects that strategy.

5.1. Policies for information security

Policy governing adoption, termination and usage of SaaS services.

Usage policies should be considered for each adopted SaaS service:

  • [WIP]

5.1.1. Evaluation

The initial evaluation of a SaaS service will typically allow the business, legal and security stakeholders to understand the risk of the transaction and proceed accordingly.

The key question to answer at this stage is, "Is this a potential fit with our risk profile?"

5.1.1.1. Determining acceptable risk

The first step of evaluating a SaaS service is to determine what risks it would raise to the SaaS customer.

According to ISO/IEC 27001, a risk management approach should be used to manage information security. A SaaS customer should first determine what is acceptable risk to the organization from the SaaS service, which forms the baseline of the evaluation stage. Different methods can be used to manage risk, including the international risk management standard ISO 31000.

Given an understanding of the organization’s risk profile, a SaaS customer should be able to determine if the SaaS service in question could be a potential fit with the organization’s risk profile.

One way of determining the risk profile of a SaaS service can be determined by understanding the usage context of the SaaS service taking the following considerations into account:

  • Data

    • E.g., What data will I process at and expose to this SaaS?

  • Processes

    • E.g., Does this service affect my core processes?

  • Requirements

    • E.g., What business requirements, laws and regulations are relevant to this service?

At this stage the following aspects should be evaluated on how they affect the risk profile of the SaaS customer:

  • The SaaS provider

  • The SaaS service

  • The usage of the SaaS service

The most common risk profiling method available is the classic CIA classification:

  • Confidentiality

  • Integrity

  • Availability of information.

With CIA, applications and databases are risk scored per your requirements.

Once the risk footprint has been established you can start calculating the risk the SaaS application poses.

There are many ways to calculate risk and developing a risk profiling framework depends on your need and type of industry.

It pays to keep in mind that by transferring activities to a CSP, the SaaS customer itself is not outsourcing its responsibility to the CSP. The SaaS customer must always keep in mind that the risk owner is responsible for accepting residual risk of adopting a SaaS service.

5.1.1.2. Security and privacy requirements

Once a baseline risk level is established, many cloud service customers engage in a security and privacy due diligence process. It is common for cloud service customers to send assessment questionnaires or RFIs to the cloud provider for completion.

These questionnaires inquire about internal security controls the customer wants to see in place with the CSP, and typically address regulatory requirement concerns around security and privacy.

Self-assessment schemes such as the CSA STAR self-assessment or the Common Assessment also helps CSPs inform potential customers about SaaS provider security capabilities.

They also inquire about the cloud provider’s use and disclosure of personal information to determine where personal information will be processed and whether the cloud provider will be using the information for its own purposes or disclosing to third parties (for example, disclosures to 3rd party advertisers).

5.1.1.3. Communicating requirements

The responses to these questionnaires further allow customers to refine their risk assessment, and feed into the contracting phase of the cloud transaction. To reinforce their risk assessment and due diligence process, and as part of their supplier management, many cloud customers create standard data security and privacy schedules to include in their cloud contracts.

The purpose of these schedules is to address regulatory issues, provide a mechanism to hold a cloud vendor to reasonable security standards, establish incident response obligations and transfer risk of loss for data breaches or privacy violations caused by the cloud provider.

Again, the overall goal is to attempt to contractually create a seamless relationship with the cloud provider and reduce risk as much as possible.

The contracting process for vendor management programs is sometimes further refined to allow customers to have pre-established "fallback" positions for certain terms during negotiations with cloud providers. It is not unusual for both a customer’s legal team and security team to be involved in the negotiation of these terms.

5.1.1.4. Internal context

Controls:

  • SaaS strategy and policy.

  • Consequences of failure, supplier management.

Customers should develop a SaaS security strategy and build a security architecture that reflects that strategy.

Threat modelling and threat profiling are key in developing the SaaS security strategy.

5.1.1.5. Service terms

The failure to negotiate robust incident response and security and forensic assessment rights can also pose risk.

In this context, CSPs should be viewed as an extension of the customer’s IT environment, and customers should attempt to obtain as much control as possible contractually.

If a cloud provider suffers a breach that impacts the customer’s information, but that provider does not have a contractual duty to provide notice of the breach, remediate and cooperate, then the customer may not be able to reduce its legal risk and comply with regulatory obligations

Controls:

  • Service level management

    • SLA vs our availability requirements

    • Business continuity promises: RPO, RTO

    • Incident handling and escalation

  • Legal concerns

    • Legal and regulatory requirements

    • Jurisdictional authority, legal requirements of CSP and SaaS service

    • Indemnity: relocation of jurisdiction, M&A

  • Notifications: security, privacy, compliance changes and events

  • Termination rights

5.1.1.6. Affected data

Another significant risk that cloud computing presents is a general loss of control over data transferred to the cloud and network availability outsourced to the cloud.

For instance, in a more traditional IT setting, organizations have the ability to assess and adjust their systems so they are compliant with applicable regulations and standards.

For instance, an organization sending data to a CSP located the EU must follow the requirements of the EU.

But an organization can be deemed noncompliant if their data was transferred to a jurisdiction that violates that rule.

And since many SaaS providers use infrastructure as a service providers located in multiple jurisdictions, compliance represents an increased risk.

A SaaS customer should be able to answer the following questions:

  • What data will be transferred to the SaaS service?

  • What data will the SaaS service have access to?

  • What reliance will we have to the SaaS service on our data?

For example, if only non-sensitive records are being stored at the CSP, as opposed to social security numbers or financial account data, less supplier scrutiny may be appropriate.

Controls:

  • Confidentiality requirements driven by data value

  • Data classification requirements (e.g., HIPAA, PCI)

  • Data and metadata control: ownership, processing, licensing

  • Data location and sovereignty

  • Availability requirements and data mobility

5.1.1.7. Privacy

Controls:

  • Our role vs role of the SaaS service?

    • Controller (PII of customers or staff)

    • Processor (PII supplied by a controller)

  • Privacy policy: do they sell our data?

  • Breach obligations and responsibilities

  • PII data inventory, visibility

  • Consent management

Further, the ever-changing regulatory landscape itself increases the risk of violation. Concerns abroad about US CSPs housing European citizen’s data, have only increased that potential risk.

5.1.2. Adoption

Treat usage risks on adoption of a SaaS service.

Usage Risk is the risk your organization is incurring based on how you are using a specific SaaS service.

5.1.2.1. Perform detailed risk assessment

  • Application functionality

  • Security and monitoring capabilities

  • Aligning with business/internal requirements

To identify risk a detailed risk assessment on the SaaS service and CSP is a must.

5.1.2.2. Develop policies and procedures

  • Account management procedures

  • Acceptable use policy against service abuse

  • Integrate user lifecycle procedures in business

  • Follow data classification and labelling procedures

  • Integrate into existing service level, incident and vulnerability management processes

Controls to modify risk of SaaS are procedural and technical in nature.

5.1.2.3. Configuration management

  • Determine configuration baseline

  • Setup service according to security policies, perform risk treatment if required

Secure configuration and technical solutions such as multi-factor authentication are a security force multiplier.

Please keep in mind that the use of OTPs (one-time passwords) should be in line with your threat profile.

SMS-based OTPs can lead to compromise (or even worse) in countries where the telecom providers are under control of oppressive governments.

5.1.2.4. Security configuration

  • Authentication and authorization

    • Multi-factor authentication, single sign on

    • Access restrictions based on geolocation

  • Data loss prevention

  • Password policies and history

  • Role-based access control

Single sign-on is typically used by organizations to provide a single identity to users so they can access multiple applications.

Single sign-on improves security and the user experience because employees do not need to keep track of multiple passwords and thus are not tempted to write them down.

Single sign-on however is not always preferred or even allowed - particularly in financial organizations.

5.1.2.5. Data

  • Availability mitigation processes if necessary, data exports, backups

  • Inventory of assets, ownership and responsibilities

  • Limitations on external sharing

  • Cryptographic controls and requirements

Data loss prevention helps to provide a higher level of information protection. It prevents the transfer or exfiltration of certain types of documents.

DLP has two aspects: detection and action.

Detection means that automated systems search for certain keywords or phrases.

Appropriate actions are initiated such as informing the user of the relevant security policies that are violated, quarantining or deleting a document or attachment.

SaaS CSPs typically provide mechanisms or APIs for their customers to automate this process.

5.1.2.6. Understand threat vectors and attack surface

And understand what threats there are and develop controls to change risk.

  • Secure access and network components to service

  • Develop controls to reduce attack vectors, e.g., malicious files can spread via document sharing

  • Develop controls on potential internal failure points, e.g., DNS spoofing, phishing

5.1.2.7. User awareness and training

  • Develop best practices guidelines for secure usage of this service

  • Enforce data classification and labelling

  • User awareness on what are security incidents for this service and how to report them

  • Promote a no-repercussion atmosphere for candid reports

5.1.3. Usage

  • Acceptable use

  • Administration

5.1.3.1. Periodic service/supplier reviews

  • Monitor service terms and conditions for changes archive versions

  • Validity of security assurances

  • Ongoing security performance

CSP supplier management is challenging.

5.1.3.2. Alerts

  • Monitor suspicious logins and data access

  • Monitor service usage and abuse

  • Monitor service attributes for SLA compliance

Service terms and conditions can change overnight resulting in loss of control. Therefor you should continuously monitor the attributes of the service using automated tooling.

Monitor configuration changes and alert if necessary.

5.1.3.3. Usage visibility

  • Authentication logs with login, user location

  • Access logs

  • Audit logs

  • Account provisioning and de-provisioning logs

5.1.3.4. Continuously evaluate and reduce attack surface

  • Monitor basic attributes of service for sanity check

  • Review controls to reduce attack vectors

  • Monitor potential internal failure points

5.1.3.5. Configuration management

  • Monitor configuration changes and alert if necessary

5.1.3.6. Data

  • Monitoring of valid backups

Ensure that backups of data is performed and even more important, test the backups by performing or requesting a restore.

5.1.4. Termination

Termination of SaaS usage requires coordination and planned execution.

One of the most important yet frequently overlooked risks of SaaS services lies in the contracts offered by CSPs.

Organizations have traditionally worked with their legal departments to negotiate service provider contract terms to be less "vendor-friendly" and to mitigate any losses caused by service providers by holding the providers financially responsible.

But cloud providers haven’t been willing to offer the usual indemnification, limitations of liability or other terms — particularly pertaining to privacy and data security.

The most prevalent reasons CSPs site is that these additional duties and obligations threaten the lower price model for cloud computing and, since CSPs don’t know what their customers are storing on the cloud, they can’t be held liable for segregating and securing customer data.

Unfavorable terms in cloud agreements may increase the risk for cloud service customers.

Cloud service customers may also want to contractually limit the subcontractors that a CSP utilizes to store or process the customer’s data. Without these limitations, a customer may find that its data is actually two or three hops removed from the primary CSP.

5.1.4.1. Internal processes

  • Notify all users on service termination

  • Guidelines on replacement or data extraction

  • Extract data for future usage or migration to new service

  • Where to store and who is responsible?

5.1.4.2. Data retention

  • Destruction of backups and residual data/metadata (system logs, audit logs, access logs, search indices, etc)

  • Data retention timeframe should satisfy data classification requirements

  • Exporting and removal of financial information

  • Exporting of usage and other reports

5.1.4.3. Return of assets

  • Export of data/metadata (audit logs, access logs, backups)

  • Comply with data location requirements

  • Acceptable data formats

  • Delivery time, method, accessible for how long

5.1.4.4. Decommission service-specific attachments

  • Service specific monitoring

  • Security monitoring of service

5.1.4.5. Service management

  • Removal of all integrations with service

  • Ensure decommissioning of service

  • Ensure closure of contract

5.2. Review of the policies for information security

6.  Organization of information security

6.1. Internal organization

6.1.1. Information security roles and responsibilities

Despite that many view SaaS as an outsourced responsibility, security is ultimately a shared responsibility between the SaaS provider and the SaaS customer.

For a SaaS customer, not all aspects of SaaS security can be controlled. For example, a SaaS customer may not be able to mitigate known vulnerabilities of a SaaS application even when it is severe, but out of the customer’s control.

There are cases, however, where customers can mitigate some of the risks for. Consider the case when a SaaS application accepts a weak TLS cipher: the customer’s policy could enforce all its users to use a more resilient cipher while communicating with this SaaS, thereby mitigating this vulnerability until it is ultimately resolved.

A SaaS customer must consider how these three aspects of a SaaS service could affect its own risks.

In general, a SaaS customer manages these risks mainly through a combination of managerial and technical controls, to protect its processes from the security and operational risks that arise from the reliance on the SaaS platform itself.

6.1.2. Segregation of duties

6.1.3. Contact with authorities

6.1.4. Contact with special interest groups

6.1.5. Information security in project management

6.2. Mobile devices and teleworking

6.2.1. Mobile device policy

A SaaS service often provides mobile device access through a web frontend catered to mobile devices or through a SaaS service-specific application installable on mobile devices. Policies should be instantiated on what is allowed on such an application on BYOD devices or organization owned devices, and what data is allowed to be processed on such devices.

6.2.2. Teleworking

One benefit of SaaS services is to be available through the Internet. This means that often business applications can be utilized outside of the workplace, which allows remote working. Given this benefit, the SaaS customer must define what is considered acceptable usage of a SaaS service with regards to teleworking.

  • What data can a remote worker access on the SaaS?

  • What are the data labelling requirements?

  • Different ways in which a particular data is accessed by a remote worker?

  • Is the data available to everyone with an account to access the SaaS service?

  • What are the various risk scenarios and mitigation strategies?

7.  Human Resource Security

8.  Asset Management

To benefit from a SaaS service, the SaaS customer would need to provide certain data to be processed on the SaaS service. Therefore management of data is extremely important for a SaaS customer.

8.1. Responsibility for assets

8.1.1. Inventory of assets

A SaaS customer should be able to answer the following questions:

  • What data will be transferred to the SaaS service?

  • What data will the SaaS service have access to?

  • What is our reliance to the SaaS service for our data? How reliable is our data in the SaaS service?

  • Are there any geolocation requirements for the data, such as regulatory or client service requirements?

8.1.2. Ownership of assets

A SaaS customer should be able to answer the following questions:

  • Who is responsible for what data located on the SaaS service?

8.1.3. Acceptable use of assets

There are two parts to this:

  • What is the SaaS provider allowed to do with our data? Metadata?

  • What are our users allowed to do with data on the SaaS service?

Data and metadata control: ownership, processing, licensing

8.1.4. Return of assets

CSA CCM 3.0.1

  • What will the SaaS provider do with our data on termination of service?

  • What happens with data

8.2. Information classification

8.2.1. Classification of information

  • Confidentiality requirements driven by data value

  • Data classification requirements (e.g., HIPAA, PCI)

8.2.2. Labelling of information

8.2.3. Handling of assets

  • Data location and sovereignty

  • Availability requirements and data mobility

8.3. Media handling

8.3.1. Management of removable media

8.3.2. Disposal of media

8.3.3. Physical media transfer

9.  Access control

9.1. Business requirements of access control

9.1.1. Access control policy

  • Evaluate whether person needs access to this

  • Identify business requirements and role

  • Information clearance based on data classification

  • Approval by security review and data owner (sponsor)

Users in organizations are typically granted access to applications based on historical events or by cloning the access rights of their peers.

Therefore it is important to evaluate whether a person genuinely needs access to a service and to identify the business requirements and establish roles.

9.1.2. Access to networks and network services

9.2. User access management

9.2.1. User registration and deregistration

User awareness is vital: you need to help the business understand their security problems, and help them understand how their role will help them solve it.

9.2.2. User access provisioning

  • User training on best practices

  • Awareness on acceptable use, relevant policies and procedures

  • Create account according to user access baseline

  • Least privilege

  • Billing party: group or sponsor based on usage?

  • Identify and set resource limits

Always follow the concept of least privilege and identify and set resource limits.

9.2.3. Management of privileged access rights

9.2.4. Management of secret authentication information

9.2.5. Review of user access rights

9.2.6. Removal or adjustment of access rights

  • Ensure immediate account termination without residual

  • Halts resource billing related to account

  • Audit logs and access logs must be kept

  • Security review if necessary

  • Update account termination logs and inventory

Ensure audit logs are reviewed and retained.

And finally, ensure billing is halted when resources are no longer used. Do this in an automated fashion and try to eliminate any manual actions.

9.3. User responsibilities

9.3.1. Use of secret authentication information

9.3.2. Monitoring of user access

  • Set monitoring alerts based on basic usage profile

  • Alert on suspicious login (e.g., location, time) and data access (e.g., batch access)

  • Adherence to password policies

  • Data loss prevention

Setup alerts and monitor suspicious behavior and logins.

9.4. System and application access control

9.4.1. Information access restriction

9.4.2. Secure log-on procedures

9.4.3. Password management system

9.4.4. Use of privileged utility programs

9.4.5. Access control to program source code

10.  Cryptography

10.1. Cryptographic controls

10.1.1. Policy on the use of cryptographic controls

A policy should be setup based on what cryptographic controls a SaaS service should support for eligibility.

If a SaaS service does not support the designated cryptographic control, what are the mitigation measures.

  • What data needs to be verified in terms of integrity (hashing) and confidentiality (encryption)

  • What role should the provider play: would the provider have access to the encrypted data? Would the provider have to collude with another provider to do so? Or the provider cannot have access to the data.

10.2. Key management

If the SaaS service supports usage of customer keys, procedures and auditing trails should be setup to monitor usage of these keys.

11.  Physical and environmental security

12.  Operations security

12.1. Operational procedures and responsibilities

12.1.1. Documented operating procedures

12.1.2. Change management

12.1.3. Capacity management

12.1.4. Separation of development, testing and operational environments

12.2. Protection from malware

12.2.1. Controls against malware

12.3. Backup

12.3.1. Information backup

12.4. Logging and monitoring

12.4.1. Event logging

12.4.2. Protection of log information

12.4.3. Administrator and operator logs

12.4.4. Clock synchronization

12.5. Control of operational software

12.5.1. Installation of software on operational systems

12.6. Technical vulnerability management

Define responsibilities for vulnerability management.

For organizations using cloud resources over SaaS, controlling security can be challenging in some cases. For example, a SaaS customer may not be able to mitigate known vulnerabilities of a SaaS application if it is severe and out of the customer’s reach.

There are cases, however, where customers can mitigate risks. Consider the case when a SaaS application accepts a weak TLS cipher: the customer’s policy could enforce all its users to use a more resilient cipher on connections to this SaaS, thereby mitigating this vulnerability until it is ultimately resolved.

12.6.1. Management of technical vulnerabilities

  • Manage and track vulnerabilities affecting SaaS customer usage

  • Procedure for tracking and escalating problems to SaaS provider

  • Mitigate existing problems and manage usage to affected areas

12.6.2. Restrictions on software installation

12.7. Information systems audit considerations

12.7.1. Information systems audit controls

13.  Communications security

13.1. Network security management

13.1.1. Network controls

13.1.2. Security of network services

13.1.3. Segregation in networks

13.2. Information transfer

13.2.1. Information transfer policies and procedures

13.2.2. Agreements on information transfer

13.2.3. Electronic messaging

13.2.4. Confidentiality or non-disclosure agreements

14.  System acquisition, development, and maintenance

15.  Supplier relationships

15.1. Information security in supplier relationships

15.1.1. Information security policy for supplier relationships

15.1.2. Addressing security within supplier agreements

15.1.3. Information and communication technology supply chain

15.1.3.1. Certified assurance

Certified assurance is the process where a trusted third-party attests that a provider is trustworthy.

Certified assurance can help simplify risk assessments – they are extremely useful as input to risk assessments as they can help clarify what is claimed versus reality of a provider. In addition, a number of such schemes provide stringent assessment on security practices of the SaaS provider, in a detailed manner that is not accessible by SaaS customers.

Cloud service customers should expect their providers to have established at minimum an information security management system (ISMS) which is the foundation of ISO 27001. Ideally the CSP discloses the state of their controls and security practices. Typically, this is done by the means of third-party audit reports such as SOC2 Type 2.

Some CSPs go beyond that and let prospects and customers perform audits and penetration testing of the SaaS applications and services.

Keep in mind that not all certifications and audit reports are the same. A certification like ISO 27001 demonstrates that the CSP has established a base for information security management.

Additional cloud related security certifications such as STAR certification or even STAR attestation, provide a higher level of assurance.

For instance, the SOC1 audit validates only a list of controls that an organization provided to an auditor.

Finally, pay close attention to the scope and business entity of a certification. The scope should cover the SaaS services you are considering and the business entity should be the entity you will be signing the contracts with.

Also, make sure the report covers all the provider its facilities and locations – not just the data center that houses the application.

The Trust Triangle.

A SaaS customer can seek assurance reports especially in the following areas from a SaaS provider:

  • Cloud security, e.g., CSA STAR Certification, CSA STAR Attestation, CSA CSTAR Assessment, ISO/IEC 27017

  • Government security, e.g., Singapore SS 584 Multi-Tiered Cloud Security

  • Application security, e.g,. BSI Kitemark for Secure Digital Transactions, OWASP ASVS

  • Integrated security, e.g., AICPA SOC 2, ISO/IEC 27001

  • Privacy, e.g., ISO/IEC 27018

  • PCI DSS

  • Privacy Shield

15.2. Supplier service delivery management

15.2.1. Monitoring and review of supplier services

15.2.2. Managing changes to supplier services

16.  Information security incident management

16.1. Management of information security incidents and improvements

16.1.1. Responsibilities and procedures

Define responsibilities for handling security incidents of a SaaS provider.

16.1.2. Reporting information security events

  • Keeping track of security events

  • When should a security event be escalated to the SaaS provider?

16.1.3. Reporting information security weaknesses

  • Determine weaknesses using vulnerability scanning tools

  • Scan for weaknesses in various systems such as applications, infrastructure, network, database etc.

16.1.4. Assessment of and decision on information security incidents

  • Determine the actual source of the incident

  • Use Security Information and Event Management (SIEM) to consolidate logs from multiple sources

16.1.5. Response to information security incidents

  • Determine if it is a false positive

  • Classify the type of an incident

  • Categorize the level of criticality of the incident

  • Determine the source of the incident

  • Reduce impact of incident

  • Identify the root cause

  • Get back up and running in shortest amount of time

  • Prevent incident from occurring again

  • Reduce potential impact

  • Prevent an outbreak

  • Track the event to prevent further wrongdoing

16.1.6. Learning from information security incidents

  • Learn from mistakes as well as from the successes

  • Collect meaningful data that can be used to track performance metrics for the Incident response team

  • Use output from the feedback processes to modify policy and guidelines

16.1.7. Collection of evidence

17.  Information security aspects of business continuity

17.1. Information security continuity

17.1.1. Planning information security continuity

17.1.2. Implementing information security continuity

17.1.3. Verify, review, and evaluate information security continuity

17.2. Redundancies

17.2.1. Availability of information processing facilities

18.  Compliance

18.1. Compliance with legal and contractual requirements

18.1.1. Identification of applicable legislation and contractual requirements

18.1.2. Intellectual property rights

18.1.3. Protection of records

18.1.4. Privacy and protection of personally identifiable information

18.1.5. Regulation of cryptographic controls

18.2. Information security reviews

18.2.1. Independent review of information security

18.2.2. Compliance with security policies and standards

18.2.3. Technical compliance review


Appendix A
(normative)
Security controls

TODO: Here goes the controls.


Bibliography

TODO: Add PCI-DSS, CSA assurance programs, HIPAA, etc.

[1]  ISO/IEC 27000:2018, Information technology — Security techniques — Information security management systems — Overview and vocabulary

[2]  ISO 31000, Risk management — Guidelines