How secure is your SaaS vendor? 5 questions to consider
Public and private sector enterprises are moving to Software as a Service (SaaS) offerings. Studies show 94% of enterprises use cloud services and an average enterprise uses over 1000 cloud services, a 25% increase in less than five years.¹ There are many benefits to a move to SaaS such as cost, and speed to market. Organizations can see a significant cost reduction leveraging SaaS due to a combination of physical hardware reduction and no longer needing to administer that hardware. Deployment of a SaaS solution is also much faster and backed by the expert knowledge of the vendor providing the cloud solution. While there are many benefits, when we talk with customers, one of their main concerns with the move to SaaS is security. It’s imperative that any vendor providing cloud and SaaS services keep security at the forefront.
FedRAMP is a great example of security practiced in the public sector. FedRAMP was born out of a need to get more United States government organizations into the cloud and manage the migration and cloud usage in a safe and secure manner. FedRAMP provides a standardized approach to risk and security assessment in the cloud, and while it was designed for public sector initiatives, we see the private sector looking at the benefits of how FedRAMP authorized applications are built and managed. The journey to FedRAMP is quite rigorous with in-depth preparation, auditing, and approvals. The benefit is a common understanding that all applications authorized follow a security standard:
Achieving “Authorized to Operate” is a multi-step process, beginning with an agency sponsor, and a preparation phase which includes the delivery of a System Security Plan (SSP).
From there, the provider must undergo a full security assessment leveraging NIST 800-53 controls for evaluation. The outcome of that evaluation may determine gaps that require a Plan of Action and Milestones (PoAM).
Then, either the authorizing agency or the Joint Authorization Board (JAB) may grant the Authority to Operate (ATO). Once ATO is reached, the service offering is in a state of continuous monitoring post authorization.
From a security perspective, organizations can appreciate all the rigor that goes into achieving and maintaining a FedRAMP ATO. Digital.ai offering a FedRamp version of Agility is just one example of how Digital.ai places security at the forefront of everything we do.
Since Digital.ai Agility uses the same code base for both commercial and FedRAMP authorized offerings, the benefit to customers is that the risk mitigation required for FedRAMP, which occurs as part of the development cycle, translates directly to all customers, commercial and public sector. Beyond that, the Digital.ai CloudOps team diligently works to keep the latest security patches installed while keeping an eye on threat monitoring. Digital.ai strives to use best practices and services to ensure security and we partner with industry leaders for SaaS infrastructure security. Digital.ai provides services to reduce risk, such as encryption-at-rest and provides support for single sign-on (SSO) with leading providers in the space.
When considering a move to SaaS it is important to understand how the provider mitigates risk, as well as ensures security. There are many topics to consider regarding security:
Does the vendor have proper configuration using best practices regarding security?
Is the vendor ensuring the infrastructure is secure as possible?
How does the provider manage 3rd party vulnerabilities? This not only applies to the main application but also to the public libraries in use by the application
What steps do vendors take to keep data private and secure?
What approaches does the provider use to scan for securities and manage penetration tests?
The topics mentioned here only scratch the surface.
Stay tuned for an end-of-year blog that further defines what our business does to keep our customers safe, and we’ll provide more tips on how you can stay secure.