Cloudy Wednesday: Security Assessments

With more organizations deploying Software as a Service (SaaS), it was surprising to read in a recent Network World article by John Moore that the SANS Institute, an IT security training organization, found that only 22% of organizations surveyed rely on extensive testing and validation before putting a cloud-based application into production.

Why is that? The article points to tight budgets and resources, a lack of good guidelines and the complications that arise due to the nested nature of cloud services. Regardless of any of these short falls, vetting SaaS, should be an important element to a cloud project. Mr. Moore reports that industry experts suggest SaaS buyers conduct a security assessment before purchasing and annually once the service is in use. It can be difficult to dive in but there is an underlying responsibility as with all projects and deployments to understand security risks.

The article points to several budding auditing standards that can help, such as Standard for Attestation Engagement No. 16 (SSAE 16) and security frameworks such as ISO 270001 as well as a new federal assessment that takes up the audit task within government systems. In closing, experts also remind us that when it comes to cloud security assessments no question is a dumb question.

Liz Young

By Liz Young, Marketing Coordinator
Photo of Liz Young

Related Blog Posts