#HowTo: Quickly Evaluate a SaaS Vendor’s Cloud Security

Written by

Life in the cloud means trusting other people with your data. Everyone says they are trustworthy and you have nothing to worry about, but there’s been an average of 33 data breaches a week in the US in 2021 (through Q3, per the ITRC). So, folks aren’t doing as well as they claim.

How then can you decide which vendors are trustworthy and those just telling you what you want to hear? Big companies can make their vendors jump through hoops and fill out questionnaires, but for the rest of us, we need a faster and more accessible method.

Step 1) Find the Security Page

Find the page on your vendor’s website where they talk about how they secure your data. I often use google to accelerate the process with searches like: "site:example.com security" and "site:example.com trust center" and "site:example.com privacy."

If you still can’t find anything about how they keep your data safe, you have to assume their security is sub-par. Or else they don’t think their customers care about such things. Either way, they get an "F" and it’s time to move on.

Step 2) Wade Through the Jargon

Companies say things like, "we’re the most trusted provider of blah" and "we take your security seriously" as a way to make you feel good without actually meaning anything. The goal is to find the nuggets that carry meaning and use them to assess the relative security of the company.

Basic security measures sometimes get dressed up in a lot of flowery language. No one should brag about brushing their teeth every day. Likewise, no one gets extra credit for doing the bare minimums for security. 

For example, when companies talk about using "military-grade encryption" or "state-of-the-art encryption for all data," or when they say "all plans include SSL encryption to keep your data safe," they’ve just told you they use HTTPS on their website, which is table stakes. 

Step 3) Filter the Fluff

Another one you might hear is that they encrypt your data "in transit and at rest." That means that in addition to HTTPS, they also use transparent disk encryption. This is important, but it doesn’t really protect your data from hackers unless they are stealing hard drives out of servers. On a running machine, the data might as well not be encrypted at all.

Another example that sometimes gets hyped, but is table stakes, is data center security. When security pages tout ''armed guards,'' ''video surveillance'' and other measures, they’re really digging for something to talk about. All of the major cloud providers and most data center providers do this. It would be surprising and exceptional if they didn’t. No gold star.

Step 4) Score the Remaining Security Information

While the above are markers of basic, table stakes security, these items are markers of at least moderate security:

  1. Certifications and process audits, such as the SOC2 certification. It doesn’t mean they have good data protection practices, but it does mean that they are being more rigorous about their security in general and doing things like external penetration tests to test their security. Companies that are SOC2 Type 2 certified probably have at least reasonable security. Note: beware of PCI compliance claims as they only pertain to your credit card information and don’t pertain to any other data.
  2. Advanced authentication features like single sign-on, multi-factor authentication and notifications upon logins from new devices.
  3. A bug bounty or responsible disclosure program with rewards for white-hat hackers who find and report security issues.

But moderate security is grading on a curve that rewards the average. If you’re looking for vendors who strive to do better, then you should look for companies who do the above but who also offer advanced security options like:

  1. Data transparency: audit trails showing changes to and access of data, by whom and from where, including if your vendor’s employees access the data for any reason.
  2. Application-layer encryption: data is encrypted before it goes to the data store and it’s done with per-customer keys. Hallmarks of this include companies offering bring your own key, customer managed keys, customer held key offerings or end-to-end encryption options.

If you’d like to be a little more scientific in your scoring, there’s a freely available Google spreadsheet checklist that will help you map security page claims into overall maturity scores.

In most cases, it takes less than ten minutes to score a company’s security based on their public information. The more buyers use security maturity as a factor in a purchase decision, the more vendors will improve their own security. In the end, only the market can drive better security into our ecosystem.

What’s hot on Infosecurity Magazine?