My company's marketing department wants to use a cloud collaboration app, and the security team is reviewing the app for approval. What's the first thing we should look for in terms of the app's enterprise security features?
The first thing you need to know is whether this cloud collaboration app will be a platform as a service or software as a service, and if it will be in a public, private or hybrid deployment model. As a rule of thumb, the responsibility of security falls more with the provider as you get closer to SaaS model. Let's assume that you're looking to review a SaaS app since that's the most common with business units looking to purchase software.
There are many things that need to be reviewed when looking into anything joining the cloud. To start, it's a good idea to search the Cloud Security Alliance's Security, Trust & Assurance Registry (CSA STAR) for the cloud collaboration app in question. It's possible that it has already been reviewed by a third party and that review could help your company make its own judgment call on the app's security. If the cloud collaboration tool isn't in the CSA STAR, send the provider a copy of the CSA's Consensus Assessments Initiative Questionnaire. This document will walk you through questions to ask a cloud provider on how it does security and will help refine your process of due diligence during cloud provider security audits.
There are things that an organization should consider about a cloud collaboration app even if it doesn't look into the CSA documentation. These things are:
- How will users authenticate to this application? Is it using an identity that you can manage or potentially extend your LDAP through with something like Active Directory Federation Services?
- What type of data does the cloud service provider store? Will your organization need to discuss any compliance related concerns with auditors?
- If there is sensitive information, is it being encrypted in transit, in processing and in storage?
- How is incident response done in the cloud with the provider? Is this something you can work on with the provider to determine its process?
- Can you get the SSAE 16 and review it for any concerns?
- Since it's a SaaS app, it would be wise to dig into the app provider's web vulnerability and software development lifecycle process.
- Will this be a private or public cloud offering? If it's SaaS, it's most likely public with multi-tenant access. Is your organization okay with this?
There are many other areas to review, but understanding the risks of the data you're giving the cloud provider and the controls they have in place can help mitigate any unwanted incidents with the cloud collaboration app.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn more about the top five cloud collaboration services
Discover who should build future cloud and mobile apps
Remember to consider the costs of migrating apps to the cloud