Throughout the last years we have seen a truly accelerated switch to digital workspaces, facilitated by increased SaaS adoption, new business models, and new processes. But, this new model of work environment is also bringing numerous SaaS security and data privacy compliance challenges for ITs. What are the best approaches for coping with them then?
Compliance generally means following two types of rules - government laws and regulations, on one end, and standards, on the other. Government legislation is obviously something companies must comply with, but they can choose the extent to which they can comply. As concerns standards - companies can choose both which ones to comply with, and to what extent. The standards can be mandated by industry or by a company. For example, if you are a SaaS processing credit cards, PCI DSS is a standard that the payment card brands require you to follow.
Among the most well-known SaaS security standards is the Cloud Security Alliance, which establishes the best security practices for cloud apps. Their STAR registry program gives insight into the level of data protection offered by the SaaS and is pretty much valued by customers, partners and investors. The members of this program may choose to get certified based on self-assessment of their data protection, based on independent audits performed, or based on recurring compliance reviews every 30 days.
On one hand, the lack of compliance for SaaS will incur fines by the government and by the related industry organizations.
On the other, compliance is important to create trust in customers, partners, resellers, investors, etc. It keeps all those parties confident that the SaaS company abides by the major security rules and regulations, minimizes risks and is in general a reliable and stable organization to interact with.
The SaaS security and data privacy compliance process includes the following steps:
Here you should get a clear picture on why security and privacy compliance is actually needed, what is the business issue behind this need. Then, the security and privacy stakeholders should be listed, together with their requirements. After any interfaces and dependencies contributing to the security and compliance issues have been identified, the scope of the data security and compliance project can be defined.
In this step the top management should outline their vision on how security and privacy compliance should be taken care of, without seriously affecting the employee productivity, and ensure they all agree with it. The vision should then get documented and roles and responsibilities assigned for its execution.
In this step you need to describe in detail all activities related to executing the security and privacy compliance vision. These are activities related to identifying, analyzing, and planning the addressing of risks, as well as activities involving the assessment of opportunities and obligations. Create the respective processes for these activities and set goals.
Outline all human resources and skills you need, technologies to be used and communication channels you will need to support you in executing the security and compliance vision. Make sure you also have a document management process established.
Here you can proceed with implementing the plan you created earlier, following the processes set up. Make sure that your implementation also takes into account the possibility for security and compliance changes.
Evaluate how successful your implementation plan is. Set metrics, create reports, set up regular reviews on the results, including by top management.
No plan can be perfect from the beginning. Hence, after you’re evaluated the results and identified areas for improvement, apply changes to your security and compliance plan, as needed. Keep updating and improving your plan on a regular basis.
After you have set up your SaaS security and data privacy compliance process, you should focus on several important areas:
To get a response to the above question, you need to take into account the following: whether you are selling SaaS, whether you are using SaaS, whether you are offering products or services for the education or you are an educational institution, and whether you operate in the EU/UK/USA. Depending on the responses to these you can identify the set of standards and legislation you may need to consider.
As pointed out above - laws and regulations you need to comply with, and standards you may choose to comply with. With both, you can decide on the extent to which you will be complying, depending on your company maturity, business goals, budgets, etc.
Have in mind that the biggest cost in data security and privacy compliance is the auditing process. There are licensed auditors you need to hire to prove compliance with specific standards. In the auditing process, which takes quite a lot of time to complete, the auditor will check what you claim you are doing for security and privacy, based on your documented processes. He will then compare this against the requirements of the standard, and also check that you can actually perform those security and privacy processes. Compliance certifications received based on external audit require significant time and infrastructure, but would generally be considered more significant by customers, partners, etc.
When you are aware of the risks and obligations regarding SaaS security and data privacy, you can create your SaaS governance program to manage those risks. This program would basically include best practices to ensure you are meeting your goals at any given time.
The documentation should cover ensuring device and network security, ensuring customer data security, information access processes, how to proceed in case of data breach, backing up information, disaster recovery, etc.
Nowadays, organizations are using hundreds of SaaS tools for everyday operations, and they need to secure and manage all of them. But every tool manages files and folders, users and groups, mailboxes and lots of other information, which interact with each other, as well as with other tools. There is data and information everywhere in the SaaS apps, which makes SaaS security and privacy compliance quite a challenge. And as the organization grows, so does the SaaS usage. With a big part of SaaS usage being completely unauthorized, ITs are losing visibility on the SaaS stack, and they can’t manage what they cannot see. Proving compliance based on audit, then, becomes difficult and expensive.
By using SaaSOps platforms like Oveo, however, companies can efficiently discover and manage their SaaS stack. They can also secure the access to corporate resources and automate the security and privacy policies. This is tons of time saved from manual actions required to ensure compliance.
Access control is essential to ensure a granular security policy which is quite significant for compliance.
Automated alerts which notify you when someone completes an inappropriate action in the SaaS environment help to reach out to the users in case of risky behavior, educate them and eventually avoid such behavior in the future.
There are many regulations like the GDPR for example, which require to take action against eventual sensitive data leakage. The automated scanning function offered by SaaSOps tools allows to detect if there is any sensitive data exposed for external access like personally identifiable information, financial info, etc. This function, then, enables you to automatically take action upon detection, like disabling a public sharing link, changing the owner of files with sensitive information, etc.
Compliance means, on one end, having all data security processes documented, and on the other, strictly following those processes. Hence, when the processes you documented include restrictions on corporate file sharing only within the organization, for example, then you need to prove you are taking measures to abide by those restrictions. Thus, when somebody shares a corporate document outside the organization, you need to be notified and take respective action to reduce the risk, like changing the access permission.
Every now and then there is a new SaaS emerging on the market, and the employees, eager to keep improving their productivity, are very likely to be onboarding new apps, without the approval or even awareness of the ITs.
Thanks to SaaSOps tools, new apps can be easily discovered. Then, ITs can review how exactly they are working with the data - the apps may simply read data, or they can modify or delete it. Reading data is fine, but anything beyond that needs to be examined and controlled, to avoid risk.
Companies in specific industries or falling under specific regulations may be required to disclose information on data breach incidents, along with the scope of the damage and other information, within the shortest terms. They are also required to have a process for tracing and managing security breaches.
SaaSOps may also help with that, by launching an automated workflow with specific activities as soon as a data breach has been identified.
Functions related to user lifecycle management can also support the compliance. For example, SaaSOps systems are taking care of the successful employee SaaS offboarding, making sure that no security breaches can occur due to unauthorized SaaS access from ex-employees. They can also trigger automated workflows for leaving employees, ensuring their data is successfully transferred and email forwarded for the next 90 days, thus meeting the requirement for compliance within the past 90 days.
Many compliance policies require that a log is kept of changes on documents, like financial documents for example. The log should show who did the change, when, and what was changed. Logs are also keeping information on third-party integrations as well. In general, they are quite useful to IT, in order to secure the environment and ensure compliance.
The above compliance-supporting functions make a SaaS systems management platform an important asset for any organization. It will ensure that the organization has SaaS visibility, that data privacy and security issues are minimized and compliance audits would be successfully passed.
Learn more about how Oveo SaaS systems management platform can help ITs with SaaS security and privacy compliance - request a personalized demo!