December 3, 2021

Last Updated on January 4, 2024

Top SaaS vendors are constantly raising the bar on cybersecurity, making it very difficult to achieve comparable security in an on-premises environment.

On a recent episode of The Virtual CISO Podcast, host John Verry and guest Mark Richman, Principal Product Manager at iManage, cover the current “state of the art” in SaaS cybersecurity and what differentiates the most secure SaaS vendors today.

Mark and John discussed four major ways that SaaS vendors can substantiate their claims of a robust security posture: third-party attestations, architecture audits, testing/exercises and offering tools and best practices to help customers ensure security from their side.

One: Achieving third-party attestations

As John notes, third-party validation of a SaaS vendor’s security posture is one of the best ways to know they’re secure—and one of the first things to look at in your due diligence.

Some of the key third-party attestations to ask SaaS vendors about include:

  • An ISO 27001 certification and/or a SOC 2 report for overall cybersecurity.
  • A CSA STAR certification (ideally at Level 2) for cloud service provider security specifically.
  • Adherence to the ISO 27017 “code of practice.” SaaS providers can potentially receive a “statement of compliance” for ISO 27017 from an assessment firm alongside an ISO 27001 certification.
  • Alignment with ISO 27018 for protecting personal data in public clouds. Like ISO 27017, ISO 27018 is “certifiable” only via a “statement of compliance” alongside an ISO 27001 certification.
  • An ISO 22301 certification for business continuity management.

Two: Getting architecture audits

Certifications and attestations against standards are extremely important in the SaaS realm. But it’s axiomatic that “compliance doesn’t equal security.”

Therefore, SaaS vendors ideally will go a step “beyond certifications” and have their architectures independently validated for security.

Mark explains: “Recently, we engaged a third-party to do an independent audit of our security and encryption architecture. Because we certainly believe that we have built something smart, forward-thinking and secure. But we wanted independent validation that we haven’t missed something obvious. And that came through very, very well.”

Three: Conducting regular testing and exercises

Attestations and audits do a great job confirming the presence of controls. But how well are those controls actually working together in real-world, real-time scenarios? This is where testing comes in.

“Cloud architectures are not really like fine wine… they don’t age well,” Mark jokes. “So, we really want to be thinking about our architecture and how we keep it up-to-date with modern norms and with the modern threats that are coming out. We’re certainly thinking about those things and designing things from a security-first posture.”

“But we also want to ensure that we’re testing all of this stuff ourselves, and that we are actually doing tabletop exercises for how we would deal with a potential threat problem—exercising all of our strategies around disaster recovery and things of that nature,” Mark adds. “It’s all about building smart architectures, validating that with a bunch of certifications and attestations, and then also practicing in real-time to ensure that the day when that threat does come, that you’re well-prepared to handle that in real-time.”

Four: Offering customers tools and best practices

As John emphasizes, giving customers clear guidance on what security tasks and controls they’re responsible for, and offering tools and/or services to help ensure they’re aligning with those best practices, is vitally important to overall SaaS security.

“Look for that cloud service provider to offer clear guidance on what your responsibilities are,” recommends John. “Ask that provider if they offer any additional capabilities, like CMEK [customer-managed encryption keys] or threat management, to provide ‘the suspenders to our belt’ for the controls that you’re responsible for.”

“If we get that all right, I would personally say that the cloud is far more secure than the average on-prem application that I’ve seen,” John observes.

“Cloud vendors like iManage and hopefully others as well are making the investments to ensure that something like a SolarWinds attack or a ransomware attack fundamentally couldn’t happen with our architecture,” relates Mark.

What’s Next?

Want to update your view of SaaS security for vendor comparison or due diligence? Click here to listen to the show with Mark Richman from iManage end-to-end: LINK

Looking for more info on top SaaS security certifications to look for? Here’s a post on that topic:

Considering hiring a Virtual Chief Information Officer?

There are many benefits to bringing in outside information security talent into your organization, but it must be done right to realize success.
Download our vCISO Roadmap now!