SaaS is not only creating a revolution in the cloud service model, but it is also bringing up new security requirements and challenges. As the most dominant service delivery model today, it has the most critical need for security practices and oversight.
SaaS security has stirred up quite a bit of debate in the software-as-a-service circle. All debates revolve around the same question: Who is responsible for security? The supplier or the customer? Well, the recent SaaS security survey report answers this question. Fifty-two percent of respondents believe that SaaS providers are responsible for checking and maintaining cloud security.
The survey aside, just like on-premises solutions, businesses will need to research their SaaS service provider’s policies on data security and compliance before signing up for their applications. This blog covers some common SaaS security challenges and proposed solutions to protect mission-critical business applications in the cloud.
Privacy advocates, like information security (infosec) analysts and IT departments, raise many concerns about SaaS purchasing and usage, and these concerns typically revolve around cybersecurity and privacy. Listed below are seven perceived security risks to discuss with a SaaS vendor during the evaluation stage.
Access management is critical for every SaaS application due to the presence of sensitive data. SaaS customers need to know whether the single point of access into the public cloud can expose confidential information. It is also worthwhile to ask questions about the design of access control systems and identify whether there are any chances for network security issues, like deficient patching and lack of monitoring.
Most SaaS products add more layers of complexity into their system, thus increasing the chances for misconfigurations to arise. Even small configuration mistakes can affect the availability of the cloud infrastructure.
One of the most well-known misconfiguration mistakes occurred in February 2008 when Pakistan Telecom tried to block YouTube within Pakistan due to some supposedly blasphemous videos. Their attempt to create a dummy route for YouTube made the platform globally unavailable for two hours.
When you are ensuring that your suppliers have strong endpoint security measures in place, ask these questions:
Before you purchase new software, it is important to check where all the data is stored. SaaS users can ask the following questions to cross-check data storage policies:
You need to check how long the SaaS environment retains the sensitive information you enter into the system. It is recommended to check who owns the data available in the cloud: the SaaS provider or the user? What is the cloud data retention policy, who enforces it, and are there any exceptions to this?
Disasters can happen out of the blue and have the capacity to shake the foundations of your business. You need to ask these questions to get yourself ready to face any impending disasters.
What happens to the cloud application and all your data stored in it during a natural disaster? Does the force majeure clause in your master service agreement come into play? Does your service provider promise a complete restoration? If yes, check how long that will take and its procedures.
Security and data breaches are a common security threat that organizations face every day. Ask these questions to know how well your supplier can mitigate and overcome privacy and data breaches.
What measures does your cloud application provider have in place to prevent security breaches? Is their security team equipped to handle a direct attack of ransomware or malware?
If a breach occurs, how does your supplier identify that? Do they have the capacity to investigate any illegal activity or intrusions? Can your contract enforce liability on the other party if the breach is caused by sheer negligence of your service provider's security services?
To address the security issues listed above, SaaS buyers should enhance their existing security practices and develop new ones as the SaaS environment evolves.
The presence of firewalls and other security tools can do only so much; there is a lot more left in the hands of the SaaS users, especially end users. There is a dire need for changes in the SaaS users' security practices, and the seven steps listed below can help.
Effective risk assessment includes everything from identifying the right technology assets and data to recognizing where the data is stored and how it links with business processes and other internal applications. Conduct security audits regularly and address any security risks that you find identified.
If one application in your SaaS stack exposes you to cyber risk, then all other applications connected to it will fall like a stack of dominoes. That’s precisely why you need to assess the risk of every SaaS application that you use. You need to check everything from risk configuration of an application to their compliance with standard security standards and monitor access credentials for any unnatural behavior.
You will need to organize and launch security awareness campaigns for users in your organization to prevent security mishaps. If end users are not provided with the proper awareness about security mishaps in the cloud, they may become the point of entry for security threats and act as a risk magnet.
The absence of a formal security awareness program for all users of a SaaS application can result in an instance where your data is exposed to a ton of security risks, like social engineering attacks, phishing scams, inadvertent leaks of confidential data, and more.
As opposed to waiting for SaaS providers to offer security training sessions, your organization should take charge of end-user training in cloud security. Your internal security team must provide baseline training for everyone before they start using the application. This fundamental security training should cover everything from data privacy measures to cybersecurity attacks.
Having a solid SaaS security checklist will help you determine whether or not your cloud service provider can be trusted. It inserts a security checkpoint in the SaaS buying process, helping you to assess your company's security needs and identify whether the supplier can fulfill expectations properly. This checkpoint prevents any future surprises as you review cloud service providers thoroughly before using the system itself.
Today, there are many resources available to help SaaS users create information security policies and guidelines. Even if you do not have a dedicated cloud security team in place, you need to develop basic policies and supporting standards to guide your users when they use a SaaS application.
Rather than taking a one-and-done approach to policies and standards, business units need to keep revising and updating their policies so that they don't become redundant or outdated.
Third-party risk management is a crucial element of your security plan. If people are given a free pass to connect to any tool of their choice through APIs, then it will result in a security nightmare.
There should be processes in place to regulate API connections with SaaS products. Additionally, it is better to offer such API access and connection permissions to a selected few who know how to perform necessary due diligence on third-party suppliers before connecting to them.
Here is where you can deploy cloud access security brokers (CASBs). CASBs can help you spot unauthorized SaaS products that are being used across your organizations. You can use this data to review those applications and decide whether you want to keep using them or look for a better alternative. According to Gartner, CASBs can act as a single control point to set policy, monitor behavior, and manage risk across your SaaS stack regardless of users or devices.
Identity access management (IAM) covers aspects like authentication, authorization, and auditing. Authentication has long passed beyond traditional password-only authentication, and now, it must include steps like enabling multi-factor authentication. Multi-factor authentication demands users to submit at least two pieces of evidence that verify their identity.
If users find multi-factor authentication too hard to maneuver, organizations can enable single sign-on. Single sign-on enables users to authorize multiple applications with a single set of credentials. Once the user is verified, they need to be authorized with unique privileges and permissions to perform operations in the system. Auditing is the process of reviewing authentication and authorization records to determine whether the IAM functionality is up to the mark or not.
A disaster recovery plan is a subset of the business continuity plan, a must-have tool in every organization's arsenal. It involves creating processes, policies, and procedures that will prepare an organization to recover the usage of its tech infrastructure in the event of a natural or human-induced disaster.
As the SaaS stack promises to be ever-growing, businesses need to take a special interest in their security measures to prevent expensive infosec blunders. You can have awesome SaaS security checklists, impressive risk assessment processes, and enlightened end users. Still, if you fail to adapt to the ever-changing security landscapes, all your hard work will go down the drain.
Stay on top of your SaaS security game by signing up for Vendr today. See how easy it is to manage and ensure the security of your SaaS stack.
Sign up for an ongoing stream of leading SaaS buying research and resources.
The latest news, technologies, and resources from our team.
Security & Compliance
In this guide, we’ll share best practices for building a realistic and usable SaaS security stack that’s focused on how modern organizations conduct business.
The average SMB uses more than 100 SaaS products, often leading to SaaS chaos and security exposure.
While SaaS can help you do your job more efficiently, it can also introduce security concerns if not properly locked down.
In this guide, we’ll share best practices for building a realistic and usable SaaS security stack that’s focused on how modern organizations conduct business.
We focus on SMBs as very small businesses may not be ready or need to implement some of these access controls. On the other end of the spectrum, enterprises will find many of these recommendations appropriate but may need to take things a few steps further to fully mitigate risk.
Additionally, it’s worth noting that this guide is focused on organizations who use Google Suite. It won’t be as relevant if you operate in Office365. It’s also focused more on the security of SaaS operations (versus securing your core network or production servers).
SaaS security is all about establishing safe and secure practices for your SaaS applications. This involves securing user and organization data as well as any customer data located in the applications.
Since most SaaS environments live in the public cloud (versus on-premises), they are subject to more potential data security risks and data breaches, making SaaS security a priority for all organizations.
When it comes to security, your people can be your best defense line or your weakest link.
It’s best practice to build your security requirements and procedures around your team, such as taking the time to understand what’s intuitive and user-friendly and thus most likely to be followed.
Generally speaking, we believe that you should rely more on systems, guardrails, and tools over user actions and training. In other words, take human error out of the equation whenever possible and make security a shared responsibility.
Many organizations tackle security on an as-it-comes basis. This is dangerous as it often means you aren’t thinking about security until something bad happens. Both ad hoc or absent security policies can open you up to a whole world of vulnerabilities.
On the other side of the spectrum, some organizations employ arcane security practices (like forcing users to change their passwords at regular intervals for no real reason) that are not user-friendly and are often skirted by employees.
The spectrum of software as a service security and access helps you understand where your organization falls today.
As you can see above, most organizations start off with no policies or systems. In this situation, the onus is on each employee to manage their own security and potential security breaches, which means they will typically re-use passwords, share them via insecure spreadsheets, or create other systems that work for them — but not for the company.
The best case is to use a single access point to unlock access to company applications and to create an easy centralized point to enforce human-friendly security policies.
The rest of this guide helps get you from wherever you may be on the spectrum to a blissful state of secure SaaS usage.
If you are using G Suite for your business, you already have quite a few security tools and configuration options at your disposal.
However, these are no good to you unless they are thoughtfully implemented and automatically enforced — recalling our concept of people-first security.
Here are the areas you should be looking at securing when it comes to your G Suite applications.
The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication (MFA), especially your primary email and collaboration platform. This greatly reduces the harm that an attacker can do with stolen credentials.
While this may seem like a no-brainer, data shows that the average company only has 37% of their employees using multi-factor authentication on their main G Suite account.
This number gets even worse for smaller and early-stage companies, where just 22% of employees at companies with less than 50 people have multi-factor authentication enabled.
Another benefit of implementing strong Google-based authentication is that many SaaS providers and products are increasingly supporting Google Single Sign-on, which means that if you enforce MFA for Google, you’ll automatically get those benefits for all apps that use Google SSO.
The Chrome administrator for your organization can set up policies that dictate how employees use their Google accounts on Chrome devices, Android devices, and the Chrome browser.
Since these policies are implemented at the account level, they will apply no matter what device the user signs in from. (However, do note that the policies won’t apply to users who sign in as guests or use a Google account from outside the organization.)
Because these settings can be applied across several devices and the Chrome browser, they are a good way to enforce cybersecurity without a ton of extra effort from your users or your IT team.
To implement these settings, you’ll first need to turn on Chrome management. Then you can set up user policies, which can be divided up by team to help you apply certain policies to specific groups of users. Policies can include enrollment controls, apps and extensions allowed or required, Chrome web store permissions, Android applications, and a wide range of other security measures. View the complete list here.
G Suite Team Drives are shared spaces for teams to store and access their files. This feature is included in the Business and Enterprise versions of G Suite. Files in Team Drives belong to the entire team rather than individuals.
This makes life easier if someone leaves your team because there is no need to transfer document ownership or reset permissions. The files stay put regardless of any individual’s status, so employees can get work done without interruption. Team Drives is available on several tiers of G Suite, and you can learn more about it here.
There is also a security benefit to using Team Drives. When you add new members, you can decide whether you want to give them full access to upload, edit, and delete files or whether you want to restrict them to certain activities at the user level.
It’s easy to add members, set and change member permissions, and remove members as needed.
You can’t say your organization is secure unless you know what SaaS solutions everyone in the organization is using and can say that they are employing security best practices.
With SaaS security monitoring, you can access an always up-to-date list of the SaaS vendors and cloud applications in use subscriptions across your company—including “shadow” and unsanctioned applications.
You can view full adoption trends for your whole organization, including details by department and products. SaaS security monitoring allows you to easily audit what permissions users in your organization are giving to which applications and get updates on all new additions or misconfigurations.
This is a crucial layer of security for your SaaS stack. The ability to manage employee access to your required SaaS apps by department, and to consolidate licenses, will give you unprecedented visibility into your SaaS stack.
Today’s IT world is centered on SaaS. This means it’s critical to enforce secure access to all of your SaaS applications. You can’t risk having ad hoc policies around how employees access SaaS applications, which unfortunately tends to be the status quo.
When companies don’t have policies (or have policies that are hard to comply with), employees tend to either store passwords in an unsecured file or reuse the same password across multiple applications.
A 2020 Verizon study found that 80% of confirmed data breaches leveraged weak, default, or stolen passwords. If you don’t want your organization to be the next victim, it’s time to tighten up your controls.
Unfortunately, your browser’s built-in password management feature isn’t secure enough. There have been several successful attacks against browser-based password storage, so we don’t recommend that you or your employees use these features. You can and probably should turn off the ability for people in your organization to use Chrome’s password manager, which you can do in the Chrome settings.
Our recommendation is to use TeamsID, which offers various password management security solutions for organizations large and small. In our view, the best feature of TeamsID is its ability to link to Google’s SSO. This means that employees don’t have to remember yet another password, and instead, you can enforce strong passwords and multi-factor authentication on G Suite, which will unlock your shared passwords in TeamsID.
Beyond that, TeamsID has all the key features you’ll need in a team password platform, including the ability to have “secret” passwords that can be filled in but not seen, browser extensions, native applications for many platforms, easy team management and sharing, and more.
We use TeamsID internally and have been very happy with it.
An excellent alternative is LastPass, which has many of the same features. However, it doesn’t have the Google SSO option. It also has some additional configuration challenges and is not quite as easy to use for team sharing. For example, the onboarding process requires you to set up a temporary password via email, which is not ideal. LastPass does, however, have a few additional workflows and security features (e.g., robust API access and SAML configuration) available to some of the enterprise tiers, which might be valuable depending on your business’s needs.
Either of these options is far better than simply letting your users reuse their passwords across several services, opening you up to credential attacks on a large scale.
As you build out your IT team and scale beyond 100-200 employees, start thinking about deploying a unified identity and access management (IAM) solution. This can both streamline the end user’s experience and protect the entire organization from security issues. IAM solutions work by authenticating a user once and then unlocking all apps for them (rather than users having to sign into each app individually).
IAM offerings are a bit like Google Single-Sign-On on steroids, offering many more configuration options and deeper integrations. For smaller organizations, this might be overkill, especially if you won’t be able to or need to leverage features like Active Directory sync (smaller, newer companies might not even have this) and SAML integration (typically only available on more expensive, enterprise-level SaaS pricing tiers). But if you are a larger or more advanced organization, it may very well be worth investing in IAM.
We recommend Okta for most organizations with more than 150 employees. Okta’s single sign-on product claims to make it 50% faster for users to sign in to applications, as well as reducing IT help desk requests by half. This makes life easier for the folks on your IT and operations teams while meeting “security efficacy” goals. Okta also has real-time security reporting built-in, so you can be alerted anytime something suspicious occurs, affording peace of mind.
In summary, these are our overall recommendations for boosting the security of your team’s SaaS operations.
For most businesses, here is what we recommend:
We hope these security guidelines will help your organization meet the goal of improving SaaS and cloud security by employing practices and standards that are both attainable and effective at protecting you against a variety of risks and threats to your sensitive data.
The best strategy is the one that can be implemented and maintained, so work to improve your security over time by implementing the best practices outlined in this guide.
Security & Compliance
Prepare for and ace your next SOC 2 audit with this guide.
SOC 2 compliance is an increasingly common framework and applies to many businesses today. Specifically, SOC 2 applies to any service provider that stores customer data in the cloud. It is quite relevant to SaaS businesses, but also to many others who store their customers’ data in this way. SaaS vendors in particular need to be SOC 2 compliant in many instances, especially when they sell to the enterprise. Enterprises are often beholden to a wide variety of security and compliance controls, and being demonstrably SOC 2 compliant as a vendor gives those enterprise customers the peace of mind they need to do business with you.
SOC 2 isn't a set of hard and fast rules. Rather, it is a framework that sends a strong signal that an organization prioritizes key attributes: security, availability, processing integrity, confidentiality, and privacy. Completing a SOC 2 certification on its own is generally not enough to prove that you are 100% secure as an organization, but it’s a very good start and will go a long way toward instilling trust in your customers.
Before SOC 2, the original standard for auditing service organizations was known as a SAS 70 (Statement of Auditing Standards No. 70). SAS 70 audits were performed by Certified Public Accountants (CPAs) with the original intent to report on the effectiveness of internal financial controls. These were introduced in the early 1990’s. Over time, the audit started to be used as a way to report on the effectiveness of a company’s internal controls around information security more broadly. Around 2010, SOC 1 and SOC 2 reports were introduced by the AICPA (The American Institute of Certified Public Accountants) with the explicit purpose of addressing the growing need of companies to externally validate and communicate their state of security. Today, SOC 1 reports are centered around controls impacting financial reports, similar the original SAS 70. SOC 2 reports, on the other hand, are written on audits against the Trust Services Criteria (TSC) standard, which we’ll explain below. This standard is ideal if you’re looking for a way to simultaneously improve your company’s maturity around business processes and security.
SOC audits are organized around five "Trust Principles." When you are audited, you will choose which principles you want the auditor to attest to. This is a business decision based on what is most important to your customers.
The Trust Principles are:
The foundational security principle, common to all audits.
Protection from unauthorized disclosure of sensitive data.
Protection that systems or data will be available as agreed or required.
Protection that systems or data are not changed in an unauthorized manner.
The use, collection, retention, disclosure, and disposal of personal information is protected.
All SOC 2 audits include “Common Criteria”. This is the biggest section of the audit and touches on every aspect of information security controls. Companies can start with a Common Criteria audit if they’re looking to keep the scope small. Common Criteria includes aspects of all principles noted below. In addition to Common Criteria, mature SaaS companies tend to add on Confidentiality and Availability. The Integrity principle is typically chosen by companies processing a lot of transactions, as well as financial institutions. Privacy is seldom included as part of a SOC 2 audit. While it has value, most organizations tend to focus their privacy efforts around compliance with HIPAA or EU regulations (like GDPR). This is because European companies generally want audits against their own standards, rather than SOC 2, and they tend to have more stringent requirements. If you need to uphold GDPR, for example, then you’ll be focusing on privacy when you go through that process.
The SOC 2 reporting standard is defined by the AICPA. All SOC 2 audits are signed by licensed CPAs . To achieve SOC 2 compliance, most companies spend anywhere from six months to a year on focused preparation. This includes identifying which systems are in scope for the audit, developing policies and procedures, and implementing new security controls to reduce risks. When ready, an organization will hire a licensed CPA auditor to conduct the audit. The actual process involves scoping, artifact document collection, and an on-site visit. The time commitment is typically several hours of introductory phone conversations and two days in-person at your office. While in your office, the auditor will conduct interviews and review submitted material. When starting to scope a SOC 2 audit, there a few key decisions that will need to be made up front. First, do you want a Type I or Type II audit? This terminology can be confusing to newbies because of the mix of numbers and Roman numerals. Here's an easy way to remember: S = SCOPE, T = TIME. i.e. SOC 1 = Financial Scope. SOC 2 = Information Security Scope. Type I = At a single point in time. Type II = Over the past 6 months.
An audit conducted against the Trust Services Criteria standard at a single point in time. This audit answers: Are all the security controls that are in place today designed properly?
An audit conducted against the Trust Service Criteria standard over a period of time. This period typically covers six months the first time, and then a year thereafter. In other words, this audit answers: Did the security controls that were in place from January 1 through July 31st operate effectively? This means you’ll need a system of record. Type I reports are, as you might imagine, quicker to prepare for and conduct because you don’t have to wait for historical data over six months. However, while Type II reports take more time, they are also that much more valuable in the hands of customers, prospects, board members, partners, insurance companies, and so on. They report on what you’re actually doing, rather than what you aspire to do. Because of this added value, my general recommendation is to get started early and work directly toward the Type II report. This approach emphasizes immediate action taken toward improving your security, and because Type II also covers Type I, there are financial savings in the long term if you start with Type II from day one.
Companies of all sizes can benefit from establishing an elevated level of trust with customers, prospects, and partners. If you process or store data on behalf of a customer, you should be concerned with how it’s protected. The news is full of stories of large companies admitting to massive security incidents such as 500,000 leaked passwords, or millions of stolen credit card numbers. The recovery and cleanup of these incidents can cost in the tens of millions of dollars, including the clean-up and forensics process, implementation of new controls, and lagging sales due to lack of customer confidence. Large companies can often recover from a security incident like this because they have the financial resources and brand recognition to move past a single slip-up. Small companies and startups aren’t always so lucky. Loss of a single large customer due a security compromise, or reputational damage that impacts a company’s ability to raise additional rounds of VC funding can be devastating for a small or young business. While there is no way to absolutely guarantee security, the SOC 2 report and Trust Services framework give companies external validation that they are managing risks appropriately.
If you don’t have SOC 2 compliance as a vendor, you will probably have to fill out more than a few security questionnaires before you can work with any enterprise-scale customers. While that might sound easier than a SOC 2 audit on the surface, the questionnaires can be quite detailed and overwhelming, and they are often hard to fill out if you don’t already know the security lingo, have tooling in place, and know how to document processes. In other words, if you haven’t already gone through the process of setting up and enforcing policies as you would for SOC 2, you may find yourself stuck when the questionnaires arrive. In a nutshell, being SOC 2 compliant will both help you sell to the enterprise, and force you to follow a set of strong best practices when it comes to keeping your company’s and customers’ data safe. Security is (or at least should be) a major concern for all technology-focused companies today. Achieving SOC 2 compliance is a good way to demonstrate that you do indeed have security at heart in all you do as an organization.
Regardless of whether customers or prospects are knocking down your door for a SOC 2 report, it’s crucial to start SOC 2 preparation as early as possible. Even if don’t plan to have an audit conducted for a while, starting early will set your company up for success in many arenas.
The formulaic approach necessitated by SOC 2 will improve your overall security. This process will mitigate potential attacks while building a strong security process that will help you win new business by better answering risk questionnaires. Security and compliance should be approached as an ongoing process, rather than a single event, and SOC 2 pushes organizations to build sustainable programs.
Implementing new security controls can be tough. People may complain about the extra time it takes to log in to services using multi-factor authentication. However, the minor annoyances are worth the ultimate outcome. When it comes to building a secure and compliant company culture, the smaller and younger you are as an organization when new processes are put in place, the easier it will be to scale. Companies as small as three employees have gone through SOC 2 audits. It is also helpful to automate these processes as much as possible, baking them deep into your company culture.
It’s never too early to get your documentation in order. Do you have policies and procedures? Do you have internal standards documentation? Having these processes well-documented will improve internal communication and consistency, which in turn enables you to meet legal and compliance challenges, close more sales, and prepare for financial changes like a merger or acquisition or a new round of VC funding.
Finally, preparing for a SOC 2 audit will give you a framework for acknowledging and mitigating risks. Many organizations who have not undergone a formal compliance audit are either unaware of security risks or addressing them in an ad hoc way. Approaching compliance systematically instead will ensure that even risks that aren’t top of mind receive attention and can be mitigated in a timely manner.
It’s a good idea to consider becoming SOC 2 compliant early in your company’s journey if you know you are going to be selling technological services to enterprises and will be storing and/or accessing sensitive customer data of any sort. While it can be challenging to undertake a SOC 2 compliance exercise while you are small and under-resourced, it can actually be even harder to do once you grow larger. The larger your company is and the further along you are in your growth, the harder it is to change culture, processes, tools, and more. When you are smaller, you may not have an IT or security owner, but as soon as you do hire someone in a role like that, you may want to begin thinking about preparing for SOC 2 compliance. Sooner is better, since it will help you integrate the processes and controls into your team’s culture from the get-go.
SOC 2 is a framework to build processes around. Use this guide and the SOC 2 criteria to embed security and compliance into your core culture and business processes. Developing processes around the common criteria and trust principles will give you a foundation that you can build and scale from, rather than as a once-per-year scramble for evidence.
We developed the SOC 2 Pyramid to give you a visual representation of the SOC 2 Compliance process. It consists of three levels, the foundation are your policies, these document what you do. i.e. governing the behavior of employees, vendors, contractors, etc. to meet security requirements. Above policies are your procedures, these demonstrate how your policies work operationally, i.e. what steps you take in response to key events to manage data. Finally, the top of the pyramid is proof, supporting documentation that demonstrates adherence to policies and procedures. The SOC 2 Pyramid is an excellent way to understand the audit preparation process and to visualize it in such a way that it seems less overwhelming. In this playbook, we will also explain what documentation you will need to stay in compliance across each of the three categories. We will also provide a bevy of recommended tools to manage the audit process and ongoing maintenance. By following this playbook, you can begin to build your SOC 2 strategy and start to form your project management teams.
All SOC 2 examinations include an auditor review of organizational policies. These policies must be documented and formally accepted. Each policy is related to a piece of your overall security of company and customer data. These are the general policies related to a SOC 2 exam that you must comply with:
These documents describe how the business adheres to the policies. Security procedures must be meticulously written so that any change to the existing workflows in the future can be tested and verified to remain in compliance. These procedures will serve as the basis for future audits and include the day to day implementation of your key policies. For example, your Access Control Policy procedures include requirements for authenticating users, reviewing user access, using role-based access control and authorizing, modifying, and removing users. These procedures also include how access to privileged accounts is controlled, and the type of access or systems that require two-factor authentication.
The day-to-day implementation of your key policies must be documented consistently. Standard tools that help with this can be Google Docs and Notion to manually document changes and the procedures surrounding them. This can be a time-consuming task if your records from the past aren't well-organized. Workflow management software, which automatically records and stores, can make evidence gathering a one-step process. Just export your saved workflows.
The Common Criteria for Information Technology Security Evaluation, referred to as Common Criteria, is an internationally recognized standard for computer security certification. Common Criteria is a framework that assures that the process of specification, implementation, and evaluation of a computer security product has been rigorously tested in a repeatable manner. The goal of Common Criteria is for vendors to make claims about the security of their products and that independently run testing laboratories can determine if they meet those claims. Below are the nine Common Criteria that are typically associated with SOC 2 compliance for SaaS providers and vendors.
Framework: Management and Communications
Goal: Assure that management and the Board of Directors place a high value on integrity and security.
Details: Management is committed to the security of customer data and takes this into account when hiring personnel, evaluating processes and reporting compliance. The Board of Directors has independent oversight of the management team.
Activities and Deliverables: Ensure management understands SOC 2 and security and that they manage accordingly. CC1 is accomplished through onboarding procedures and ongoing training.
Additional Considerations: CC1.4 is to ensure your employees are competent and trained in security. This is accomplished through your onboarding plan and company workflows.
Software Recommended: HRIS such as BambooHR or Workday, and Vendr (Blissfully)
Framework: Management and Communications
Goal: Create quality policies and procedures to ensure customer data and operational security. Establish consistently reliable communications, both internally and externally.
Details: Your organization must generate and use quality information and documentation to ensure secure workflows and controls. It must also mandate proper communications across all departments and to external sources like vendors and customers.
Activities and Deliverables: Produce high-quality policies and procedures that are available through online documentation that is easily accessible to staff. Establish internal tools that will validate secure communication, both internally and externally.
Software Recommended: Notion, Google Docs, or other communication systems with audit functionality, but email also works.
Framework: Risk Assessment, Monitoring, and Control
Goal: Create clear objectives, analyze risks to achieve objectives, and monitoring how procedural changes impact risk.
Details: Specify organizational objectives enough so that personnel and management assess current and potential risks, including fraud. Develop procedures to update risk assessment when fundamental changes to internal systems take place.
Activities and Deliverables: Risk assessment processes that have corresponding documentation that is readily available to stake-holders. This includes regular updates and audits to both the risk assessment and the outcome of the evaluation.
Key Documents: Risk Assessment Tracking
Software Recommended: Notion, Google Docs, or other
Framework: Risk assessment, monitoring, and control
Goal: Continually monitor, evaluate, and communicate the effectiveness of internal controls to accomplish the overall mission of securing data.
Details: Creating ongoing evaluations of controls that communicate deficiencies, both internally and externally, when appropriate. Activities and Deliverables: Evidence that shows risk control activities and defined risk management procedures.
Policies and Procedures: Notion, Google Docs, or other.
Software Recommended: Company workflows (usually department-specific) to easily export evidence (e.g., JIRA or Clubhouse for engineering, Github for infrastructure, AWS, etc.)
Framework: Risk assessment, monitoring, and control
Goal: Develop precise process controls and using technology to achieve company objectives while mitigating risk.
Details: The company develops controls for both workflow processes and technology tools to mitigate risk while still achieving pre-defined objectives. Also, defining transparent policies to establish expectations and procedures to ensure compliance.
Activities and Deliverables: Provide documentation showing risk control activities and proving risk management procedures were followed.
Key Documents: Risk Management Procedures Software Recommended: Technology Management that includes vendor management and related workflows to track employee activity, e.g., Vendr (Blissfully), plus HRIS/Employee Tracking such as BambooHR, Workday, or Checkr to maintain physical access records.
Framework: The security of the physical premises where the organization houses data is the most important and in-depth.
Goal: Ensure only the right people have access to critical data, secure and encrypt data at all times, and physically protect servers storing data.
Activities and Deliverables: Providing sound security practices for physical servers, workstations, and employees, and evidence that these practices are working.
Software Recommended: Employee Access Control and On/Off-boarding procedures (Vendr (Blissfully) + Okta + HR Department)
Framework: Robust Servers and Infrastructure
Goal: Ensure compliance systems are working; includes ongoing monitoring, incident response and evaluation, and disaster recovery.
Activities and Deliverables: Evidence showing Business Continuity and Disaster Recovery plans, and documentation showing that they work.
Key Documents: Business Continuity and Disaster Recovery Plan and Incident Reporting.
Software Recommended: Infrastructure systems such as AWS, Google Cloud, or Microsoft Azure
Framework: Infrastructure Change Management
Goal: Changes to technical infrastructure are well tested and approved before going live.
Details: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to any infrastructure, data, software, and procedures to meet its objectives.
Activities and Deliverables: Clear controls for how technical infrastructure (The System) changes, and evidence the changes were tested before going into production.
Software Recommended: Github for pull requests and a task manager such as Clubhouse or JIRA for engineering workflows.
Framework: Risk Mitigation and Vendor Management
Goal: Mitigate risk through defined business processes and vendor management.
Activities and Deliverables: Business Continuity, business insurance, vendor management, including vendor due diligence and management, especially for cloud-hosted vendors.
Key Documents: Vendor processes, assessments, and approval from key management personnel.
Recommended Software: SaaS Management Software such as Vendr (Blissfully) can help mitigate risk across the organization.
SOC 2 CC1: Control Environment Workflows are at the heart of every organization. As an organization grows from two people to five to ten, and so on, these workflows can introduce security loopholes. SOC 2 CC1 addresses your control environment, of which workflows are a component. Most workflow suites includes predetermined workflows for the most common business tasks, including employee onboarding, offboarding, vendor requests, approvals, renewals, and terminations. It also includes the ability to build, save, and repeat your own customized workflows to match your particular internal processes. When you use Blissfully for SOC 2 compliance, all your workflows are documented as exportable logs. When you decide to undertake a SOC 2 audit, you can easily pull these logs and present them as evidence to your auditors.
SOC 2 CC5: Control Activities As mentioned earlier, the average mid-sized company uses 120 SaaS tools. That’s a lot of vendors. Lack of visibility into who all these vendors are and how they interact with your company can be grounds for SOC 2 noncompliance. Maintaining unwieldy spreadsheets, while a common standard, fails to capture crucial real-time data regarding your vendors. Vendor management provides four essential tools to help you meet your compliance objectives:
Under SOC 2, the control activities CC includes how you manage the entire vendor lifecycle. Our vendor management workflows tool gives you visibility on your entire vendor network. It also gives you the tools to delegate purchasing, downgrade, and upgrade rights to selected roles while maintaining an audit trail.
The vendor workflows module creates an audit trail using an intuitive document management system. As you consume SaaS resources, we listen in on all your subscriptions and collect and organize all your contracts, SLAs, invoices and other important documents. Such a documentary audit trail is vital during a SOC 2 audit.
Do you know whether your vendors have SOC 2 compliance? How about GDPR, ISO 27001, and CCPA? With this data, you can curate a compliance matrix across your entire vendor network, an exercise crucial to demonstrating vendor compliance.
Vendr brings in all your renewal data to one place. With such access, you can evaluate vendors for compliance factors before renewing. In this way, using Vendr for SOC 2 transforms renewals from a passive activity into an active compliance-centered action.
SOC 2 CC6: Logical and Physical Access Controls While the broader CC6 framework considers both logical and physical access controls, Vendr helps you manage logical access controls. We do this by giving you enhanced visibility of all the third-party apps in use at your organization. App discovery and tracking give you a single source of truth as support for your SOC 2 compliance documentation. Moreover, security monitoring provides ongoing access control data collection crucial to your SaaS security audit compliance. If a new app is added to your organization or there’s a user state change, Blissfully captures this data as exportable activity logs. Through this data, you can demonstrate the measures you have taken to modulate logical access control across all your organization’s apps. Using Vendr for SOC 2 compliance gives you a centralized view of all third-party SaaS apps in use in your organization, and tools to help you manage how your personnel interacts with them.
SOC 2 CC9: Risk Mitigation One of the challenges companies face when creating a risk mitigation plan is the lack of a system of record. A system of record is a single source of truth providing transparent, auditable data about a process within an organization. Organizations using different SaaS products without a point of convergence struggle to create a unified system of record. Vendr solves this by providing a converged system of record comprising an extensive SaaS codex with a robust system of record. Here’s how it works: You have multiple vendors. Vendr collates all these vendors and pulls vendor data from the SaaS codex. Vendr then automatically collects and compiles usage data on each. Such data will include users, admins, access rights, costs, and others. With this data, we create for you a complete picture or system of record of your entire organization’s app ecosystem and usage. From this snapshot, you can create and enforce risk mitigation measures. As you undertake risk mitigation measures, using Vendr for SOC 2 will help you maintain a real-time system of record ready for your next audit.
Security & Compliance
Compliance doesn’t have to be an intimidating 10-letter word. In fact, meeting SaaS compliance requirements could bring security to your infrastructure and protect your customers. Being compliant could also instill trust with your customers and potential clients, helping grow your company.
Let’s take the car lease analogy we used for the service level agreement fundamentals post as an example. (If you’re unfamiliar, hop over and take a look—it’s right in the introduction.)
After you’ve leased the car, you might be responsible for basic maintenance. But where will you have your car maintained? You’ve invested in a new car, one that you’ll want to keep running reliably. Also, you’re responsible for keeping the car in good condition up until you return it. So will you want to take your car to any maintenance shop? Maybe not.
Our guess is you’d feel better if your car went to a certified mechanic. Why? Because that certification tells you that the mechanic and facility underwent study, training, and testing and reached a proficiency level deserving of a certificate. In other words, you can trust that your car is in good hands.
SaaS compliance works similarly. But what exactly is SaaS compliance?
SaaS compliance means your company meets a certifying organization’s set of standards and policies. Often, SaaS compliance involves the use, storage, and sharing of data, and meeting compliance means that your company has taken steps to protect its and your customers’ assets and data.
Usually, independent third-party organizations establish a set of standards and guidelines for the industry to follow. They can also certify companies that comply.
From another perspective, you could view compliance as a form of security or risk management.
For example, as your company grows, you might add more SaaS tools to your SaaS stack. Without the proper security measures for your team, each app user could become a potential security risk. Apps developed outside of security requirements could open your and your customers’ data to cyberthreats or data leaks, leaving your assets vulnerable to cyberattacks.
Moreover, according to a 2025 forecast by Gartner, 99% of cloud security failures will be the users’ fault (read: your employees’ fault).
To further stir the pot, operating third-party SaaS solutions adds responsibilities that software developers didn’t have to worry about in the past. Now, SaaS providers must provide proof of a dependable and safe environment.
And as proof that you provide a safe and reliable SaaS product or service, your customers might require certification from a third-party firm. The certifying firm might examine your product’s availability, confidentiality, privacy principles, processing integrity, and security.
Needless to say, your company may find it challenging to meet compliance. However, the rewards could be worth the effort because compliance could mean:
When it comes to improving your data security and growing your business, compliance can be a valuable part of your strategy. Whether you’re looking to expand in a particular industry or other nations, you need to stay on top of the latest regulations to stay competitive. We cover these in the next section.
The General Data Protection Regulation (GDPR) is a comprehensive European data protection law. It provides data rights for individuals and increases compliance responsibilities for organizations. At its core, the GDPR grants European Union (EU) residents greater control over their data. It also gives national regulators new powers to impose significant fines on organizations that breach this law.
Under the GDPR, EU residents can:
The International Organization for Standardization (ISO) prepares standards through ISO technical committees. ISO also collaborates with the International Electrotechnical Commission (IEC) on electrotechnical standardization matters. Specifically, ISO provides a family of standards for information security management systems (ISMS). ISMSs manage information risks and provide a framework that identifies, analyzes, and mitigates these risks.
While ISO/IEC 27001 isn’t a regulation exactly; it’s a standard your SaaS company can use as a guideline to manage security risk compliance. Per ISO, “Using [the standards in the ISO/IEC 27000 family] enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.” You can also use them as formal compliance assessments to achieve certification by accredited auditors.
Service Organization Control 2 (SOC 2) is an auditing process. It’s based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). A SOC 2 report evaluates an organization’s information systems to check if the company follows its principles. Organizations that are SOC 2 compliant adhere to a strict set of principles to manage customer data securely.
In short, SOC 2 is the guidelines and policies your company complies with daily when handling customer data. SaaS companies often comply with SOC 2 first because it’s a common compliance framework designed for businesses that store customer data in the cloud. To be SOC 2 certified, you must build and follow strict information security policies and trust service criteria.
According to the US Department of Health and Human Services (HHS): “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law. It required national standards to protect sensitive patient health information from being disclosed without their consent or knowledge. HHS issued the HIPAA Privacy Rule to implement the requirements of HIPAA. And the HIPAA Security Rule protects a subset of information covered by the Privacy Rule.” This law affects healthcare services primarily.
The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard developed by The PCI Security Standards Council.
Its purpose is to help organizations protect customer account data by including requirements for:
On March 1, 2017, The New York State Superintendent of Financial Services enacted the New York Cybersecurity Regulation (23 NYCRR 500). The regulation establishes cybersecurity requirements for financial services companies. The requirements address growing threats posed to information and financial systems by nation-states, terrorist organizations, and other cybercriminals. As a result, 23 NYCRR 500 affects SaaS companies that operate in the finance or fintech space and licensed under banking, insurance, or financial services laws of New York State.
The Federal Financial Institutions Examination Council (FFIEC) is a council made up of many agencies to prescribe uniform principles and standards. FFIEC guidance provides a framework for examiners to audit companies like yours. Complying and passing audits can help your organization meet business objectives like expanding into new markets or merging with another company.
Let’s review a few tips to help you prepare for SaaS compliance.
Appoint a chief compliance officer (CCO) to oversee and manage regulatory compliance issues.
The CCO would be responsible for:
The compliance department should collaborate with IT and human resources teams. This collaboration should ensure your SaaS environment’s security and organization-wide compliance with security regulations and rules. It should also develop and provide compliance training for relevant team members.
Establish a code of conduct for your compliance program to define its purpose and set expectations for company behavior.
Ensure you configure your infrastructure following CIS benchmarks and your cloud provider’s best practices guidance.
While Vendr can’t grant compliance, our tool can help you with compliance management. Support your compliance program with a system of record for all your SaaS applications that always stays up to date with SaaS codex: SOC 2, GDPR, ISO 27001, and more. You can also streamline your compliance program maintenance with workflows and automation.