Friday, October 9, 2015

Moving to SaaS? How to quickly assess the vendor?

So a Cloud vendor managed to pitch your boss to switch to their SaaS application and your boss has asked you to quickly check out the vendor.

You don't know anything about the vendor nor how the SaaS application works. How to quickly assess something that you don't know? You certainly don't want to be blamed if you missed something. You start entering panic mode... Time to call up your senior cum mentor the Information Security chap.

You: Yo bro! What's up? How's life?

Information Security chap: Hei dude. Long time no see. I'm good! And you? What you have been up to lately?

You: Not too bad, not too bad. I've been busy with all this cloud and SaaS thingy... talking about that, I need to quickly check-out a SaaS vendor. Any tips?

Information Security chap: How quick? You know quick in infosec usually translates to "same as do anything" right?

You: Quick as in like 2 days top? Boss is pushing me left, right and center. Any tips?

Information Security chap: Hahaha.. that's life man. Well, you know that you can't assess them in 2 days right? And you can't depend on what they said on their websites as most are just marketing pitch. What you can do is ask them to provide you any third party independent assurance report.

You: Independent assurance report? Like ISO27001 certification?

Information Security chap: Having ISO27001 certification is good but not good enough. Ask them if they have undergone SOC 2 or SSAE16 audit. There is usually SOC 2 Type 1 and Type 2. If they have done SOC2 Type 2, even better. Ask for a copy of the report and see if there are major issues raised.

You: Why Type 2 is better?

Information Security chap: For Type I, effectiveness of controls are only assessed only one time during the assessment. For Type 2, controls effectiveness are assessed for a period of time so provide a much better assurance of control effectiveness.

You: I see... I will Google for more info about this SOC stuff. Thanks bro! Coffee on me next time we watch up!

Information Security chap:You're welcome man! Good luck! Ciao!

You: Ciao!