Determining SaaS Risk – a Consultant’s Cheat Sheet

By   ISBuzz Team
Writer , Information Security Buzz | Sep 01, 2013 11:11 pm PST

Over the last few years CSOs are quickly coming to the realization that they have a tsunami of SaaS apps they have to manage, and they are recognizing that the cloud poses unique security requirements that do not map over cleanly from the ‘on-premises’ software world.  Many of our clients here at Identropy are asking for our assistance in helping them get their arms around how to manage this new set of risks while still empowering their business users.

Assuming you’re in the same situation as many of our customers, this one’s for you!  Based on our efforts in the field, we’ve identified four major categories for SaaS risk. While this list is by no means definitive, we have built it into our consulting model, and are sharing it in hopes it can help anyone tasked with SaaS security to start putting together a framework for your own SaaS security strategy.

1. Usage Risk

Usage Risk refers to the risk your organization is incurring based on how you are utilizing a specific SaaS app.  One very effective way to get your brain around this is to ask yourself these questions:

Is your organization using this cloud app for a critical business function?
Does this app store sensitive data?

If you answered no to both of these, this specific app can immediately go on the ‘low risk’ list.  For example, if an app is being used to manage get-togethers for employees with pets, and it stores pictures of kittens playing with yarn…move on to the next app.

2. Data Security Risk

Once you understand how your organization is using the SaaS app, you can move on to data security risk.  While Usage Risk focuses on how your organization is using the app, Data Security Risk focuses on how the service provider is handling your data.

Here are some pertinent questions in this risk area:  How is the SaaS provider handling your data?  Is it encrypted in transit? At rest? Are there app controls in place that determine how your data is stored and who can view it?  (For a more comprehensive list of questions, download this 50 point security checklist for SaaS apps)

3. SaaS Provider Operational Risk

SaaS Provider Operational Risk addresses how your provider manages their general day-to-day operations.  Although you could think of Data Security Risk as a subset of this risk area (since there is an operational aspect to data security), we call it out specifically due to its importance.

Here are a few questions related to SaaS Provider Operational Risk: What’s the uptime SLA guaranteed by the provider? Is there 24×7 support? Have they been through a SOC 2 audit? What other compliance certifications has the provider obtained?  What is their Disaster Recovery  strategy?

4. SaaS Provider Application Risk

Application Risk is the inherent risk created by how the app was developed.  For example, how does the app handle authentication and authorization? What access provisioning standards does it support?  How are identities imported/exported into the app’s data store?

Another perspective on Application Risk is the risk generated based on the development lifecycle of the Service Provider.  What development practices are being used by the provider to address configuration management vulnerabilities? Authentication vulnerabilities? Session management vulnerabilities?   These are just a sampling of question you need to ask yourself to determine your SaaS Provider’s application risk.  Again we encourage you to check out the checklist mentioned above for a more comprehensive set of  assessment criteria (a.k.a. questions for your SaaS Provider)

Some Weekend Reading Material…

Other researches and security practitioners have taken different approaches to the SaaS risk assessment.

For example, Grant Thorton published the findings of a survey entitled Issues and trends: Assessing and managing SaaS risk, in which they focus on SaaS risk as viewed by the service provider.  In their framework, they focus on three risk types: Financial, Operational and Compliance risk.

On the other end of the spectrum, the government’s FedRAMP program provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  It is extremely thorough (and perhaps overkill) for your organization’s needs, but is a great source of ideas regarding a SaaS security framework that will work for your organization.

The goods news is that there is a wealth of reference material out there that can help security professionals with risk assessments.  The bad news is that there is so much reference material out there that it can be overwhelming and difficult to know which reference models are best suited for the needs of your organization.

That’s why we’re big fans of keeping it simple.  Starting with a basic four-step assessment makes it much easier to easy to communicate your thought process to other stakeholders, You can always add appropriate questions under each category as needed, and even ask others for their input which might end up resulting in a much clearer risk profile.  SaaS is here to stay, and for good reason.  We have found that more often than not, the benefits of SaaS outweigh the risks.  With that being the case, however you decide to approach SaaS application risk assessments is up to you – just make sure you do!

About the Author:

Ash Motiwala | @Ashmotiwala | COO/CTO at Identropyis10

Email Address:




Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x