Auditing Software as a Service (SaaS): Balancing Security with Performance

Similar documents
Clinical Trials in the Cloud: A New Paradigm?

Cloud Computing An Auditor s Perspective

The Keys to the Cloud: The Essentials of Cloud Contracting

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Enterprise Architecture Review Checklist

The silver lining: Getting value and mitigating risk in cloud computing

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Orchestrating the New Paradigm Cloud Assurance

3 rd Party Vendor Risk Management

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Security in the Cloud

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Cloud Security and Managing Use Risks

Cloud Vendor Evaluation

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

BMC s Security Strategy for ITSM in the SaaS Environment

Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Securing the Service Desk in the Cloud

Cloud Computing: Background, Risks and Audit Recommendations

Cloud Computing. What is Cloud Computing?

Managing Cloud Computing Risk

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Policy Outsourcing and Cloud Based File Sharing

EXIN Cloud Computing Foundation

Software-as-a-Service: Managing Key Concerns and Considerations

LEGAL ISSUES IN CLOUD COMPUTING

How To Operate In Cloud

The Cloud at 30,000 feet. Art Ridgway Scripps Media Inc. Managing Director Newspaper IT Operations

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Every Cloud Has A Silver Lining. Protecting Privilege Data In A Hosted World

Services Providers. Ivan Soto

Wednesday, January 16, 2013

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Software as a Service: Guiding Principles

Security & Trust in the Cloud

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

NAREIM Session: Dangers and challenges of The Cloud. President, NiceNets Consulting, LLC

Cloud Computing: Legal Risks and Best Practices

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

Always On Infrastructure for Software as a Ser vice

Cloud Computing: Risks and Auditing

Enterprise Cloud-to-Cloud Backup and Recovery:

CHECKLIST: Top 10 reasons to move to the cloud

Auditing Cloud Computing and Outsourced Operations

Addressing Cloud Computing Security Considerations

Pharma CloudAdoption. and Qualification Trends

Team A SaaS Strategy

Simplifying Human Resource Management

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting

Intel Enhanced Data Security Assessment Form

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Cloud Computing: Compliance and Client Expectations

Cloud models and compliance requirements which is right for you?

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Cloud security architecture

Dell s Unified Clinical Archive Solution

SATURDAY, FEBRUARY 28, 2015 CLE 10 (Ethics) 9:30 a.m. 10:30 a.m. Moving to the Cloud - Identifying & Managing Legal, Ethical and Compliance Risks

Document Management System. Contract Analysis and Negotiation March 11, 2012

Managing Cloud Services in the Enterprise The Value of Cloud Services Brokers

Service Measurement Index Framework Version 2.1

Qualification Guideline

Retention & Disposition in the Cloud Do you really have control?

BMC Remedy OnDemand. Product Overview

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

PCI DSS Top 10 Reports March 2011

What s the Path? Information Life-cycle part of Vendor Management

4/7/2012. Software (and data) accessed via the internet; not on your local computer

Sage ERP I White Paper. ERP and the Cloud: What You Need to Know

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

The Partnership. You Can Count On. Seth Pomeroy, Partner NDH Group, Ltd May, 2015

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs

Managed Services Is It Time? How to determine if it s right for your company

Maximize potential with services Efficient managed reconciliation service

Past vs. Present: Third Party Risk

Federal CIO: Cloud Selection Toolkit. Georgetown University: Chris Radich Dana Christiansen Doyle Zhang India Donald

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Cloud Computing An Internal Audit Perspective Institute of Internal Auditors Topeka Chapter

A Guide to Common Cloud Security Concerns. Why You Can Stop Worrying and Start Benefiting from SaaS

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

Cloud Computing in a Regulated Environment

Cisco Cloud Assessments. Justin Tang

SaaS Data Architecture. An Oracle White Paper Oct 2008

Cloud Computing--Efficiency and Security

Cloud Services Overview

Information Technology: This Year s Hot Issue - Cloud Computing

Client Security Risk Assessment Questionnaire

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

THE BLUENOSE SECURITY FRAMEWORK

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

Cloud Computing. Bringing the Cloud into Focus

NCTA Cloud Architecture

Transcription:

Auditing Software as a Service (SaaS): Balancing Security with Performance

Goals for Today Defining SaaS (Software as a Service) and its importance Identify your company's process for managing SaaS solutions and evaluate the selection methodology Assess the process to analyze the security of SaaS solutions Review the contract management process for SaaS providers Evaluate the process for managing logical access to the SaaS solutions Measure the effectiveness of SaaS tools to monitor performance

What is Software-as-a-Service (SaaS)? Software deployment via the Internet Web Software On-demand Service Model Per-user pricing (pay-as-you-go) or flat monthly fee Very little customization (Multi-tenant) *All trademarks, service marks, images, products, and brands remain the sole property of their respective holders.

Growth of SaaS Providers *All trademarks, service marks, images, products, and brands remain the sole property of their respective holders.

Growth of SaaS Gartner s Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update Published: 8 February 2013.

Headlines

Benefits of SaaS Scalability Reduction of Acquisition Costs Simple Deployment Global Accessibility Easy Administration Compatibility

Risks related to SaaS Security Operational Reliability Professional & Business Competence Vendor Viability Legal Compliance

SaaS Benefits Groupon s use of SaaS provider Zendesk Explosive growth created the need for a robust ticketing solution Benefits Received Online support solution provided scalability Flexible solution delivered value Groupon service agents can easily tweak the system without calling a consultant *All trademarks, service marks, images, products, and brands remain the sole property of their respective holders.

Audit Approach What SaaS tools are in use at your company? How are they managed (centralized, decentralized) Who are the primary users? Is the process for engaging SaaS providers standardized or informal? Identification Evaluation On-boarding

Audit Approach cont. Obtain a population of SaaS tools in use Test for Completeness Speak with employees Review credit card and A/P payments Legal Department Test for Accuracy Verify listed items meet definition of SaaS Get comfortable with the population!

Evaluation of the Selection Process Is the process defined and established? If not, how are the risks mitigated? Business case evaluation Vendor scorecard Security assessment Review of contract terms System integration and evaluation by IT Final vendor approval

Security Assessment Why is an assessment important? Ensure compliance with regulatory requirements Identify possible security vulnerabilities Ensure compliance with corporate security policies

Security Assessment cont. If a formal assessment was performed Were the issues properly communicated? Was the assessment signed off by someone with the appropriate authority? Was the residual risk acceptable?

Security Assessment cont. If a formal assessment was NOT performed Are security policies documented? Are SLAs (Service Level Agreements) documented? Does a disaster recovery policy exist? What are the data encryption / storage requirements? Does the tool support your password requirements? Does the vendor have any 3 rd party assessments? ISO 27001 SSAE 16 (SOC 1, 2, or 3) *All trademarks, service marks, images, products, and brands remain the sole property of their respective holders.

Evaluation of Contract Terms Importance of contract terms Reduce liability risks Ensure performance Approval process Review legal and business terms Approval by appropriate parties Execution prior to use of services Periodic review and update

Evaluation of Contract Terms cont. Contract testing considerations Service Level Agreements (SLAs) Right-to-audit clauses Renewal and termination clauses Relevant governing laws for multi-national agreements Notice of material adverse impacts Record retention / ownership of data or source code

Access Management Why is this important? Data integrity Loss of data Confidentiality

Access Management - Important Questions Who is able to authorize access? Who is responsible for managing employee access? Is Single Sign-on or Same Sign-on utilized? Are periodic access reviews performed?

Performance Monitoring How does monitoring add value? Ensures compliance with the contract Timely identification allows for mitigation Reduction of operating expenses Reduction of legal liability expenses

Performance Monitoring cont. Evaluate the monitoring process Who is responsible for monitoring activities? What metrics are tracked? How are SLA terms tracked? What is the process for following-up on SLA breaches? Is billing monitored for accuracy? How are results communicated?

Final Thoughts Identify your company s appetite for SaaS solutions. Formal or informal, a security evaluation is an essential part of the SaaS selection process. Proper contract terms are vital to supporting the successful utilization of SaaS tools. Robust access management processes will help support a secure environment. Monitoring performance is important to ensure your company can meet their goals and objectives.

Final Thoughts cont. Risks do exist but the value that SaaS solutions can provide is too great to ignore. Internal Audit can assist Management in identifying the right controls and processes needed to allow them to realize the value that SaaS tools can bring.

Q & A Remi Nel Global IT Audit Manager Rackspace remi.nel@rackspace.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information