As organizations aim to become more efficient or just take advantage of the new products in the marketplace, Software-as-a-Service (SaaS) vendors are becoming more and more a part of the organizational ecosystem. We would love to tell you that every SaaS vendor puts best practice security controls in place and that they have all done their due diligence with penetration testing and locking down their applications, but the truth is, not all have.
As a security leader, it is important for you to have a robust third-party evaluation process that ensures the vendors you do business with align to the security control expectations of your organization. It is crucial that you know not only how these SaaS vendors (or any vendor for that matter) stack up against your baseline security controls, but it is also important to:
- Have an inventory of the SaaS vendors in your ecosystem.
- Understand the types of data they are housing (e.g., confidential, regulated, etc.).
- Know how they are getting the data (e.g., manually, from internal sources, API, etc.)
- Confirm security controls in place such as access controls, user termination practices, MFA, etc.
- Confirm that their applications have undergone security testing and that it happens periodically.
We have seen that third party management and evaluation has become its own role or full team in many organizations. The influx of SaaS vendors only increases this load and these reviews. We cannot stress enough how helpful inventories and evaluations are to the security of your organization. Keep in mind, if you have a long-term relationship with a vendor, periodic reviews may still be necessary.
Ensuring the security of your data is more complex than in the past, but if you have a robust process for assessing your vendors, you can have confidence that your data is in good hands.
Need help, give us a call.