Who handles what? Common misconceptions about SaaS security responsibilities


In this Help Net Security interview, James Dolph, CISO at Guidewire, addresses common misconceptions about security responsibilities in cloud environments, particularly in SaaS, and how these misunderstandings can lead to security risks.

What common misconceptions do you encounter about the distribution of responsibilities in a cloud environment, and how do these misunderstandings increase security risks?

SaaS providers and their customers both care deeply about security, compliance, and meeting global regulations. However, SaaS is still relatively new for many organizations accustomed to managing security for on-premises systems. This can lead to misunderstandings, either assuming the SaaS provider handles everything or overcompensating by duplicating efforts.

Both scenarios introduce risks. If gaps in responsibility aren’t identified, critical security measures might be missed. On the other hand, unnecessary investments in duplicate capabilities waste limited security resources.

To address these issues, it’s essential to move beyond assumptions. Since SaaS services vary, organizations should evaluate each solution independently to understand the shared responsibility model and its implications. Resources like the Information Technology – Information Sharing and Analysis Center (IT-ISAC) Critical SaaS SIG (CSaaS SIG) white paper, “Are You Sharing the Responsibility?”, offer practical guidance that can help organizations focus their efforts on the right areas to both strengthen security and maximize their investment.

With the rise of identity-based attacks, what best practices should customers follow to enhance identity security, especially when using shared responsibility frameworks?

Identity security is at the core of today’s zero-trust strategies, and the nature of SaaS environments compound its importance. With statistics like 90% of companies experiencing identity-based incidents in the past year (per the Identity Defined Security Alliance), it’s clear that Identity and Access Management (IAM) is critical to security outcomes for organizations and SaaS companies alike.

Customers should start by understanding the identity capabilities their SaaS providers offer, such as identity provider integration, multi-factor authentication, and role management. Aligning organizational policies with these capabilities lays a strong foundation for a zero-trust approach.

By asking thoughtful questions like those in the whitepaper and planning strategically, organizations can strengthen their identity protections while improving user experiences. This proactive mindset ensures security doesn’t just check compliance boxes—it becomes a business enabler.

In an incident response scenario, how should the roles and responsibilities be divided between the SaaS provider and the customer? What are some best practices for clear communication during a security event?

Clear roles and communication pathways are critical during incident response. To build resilience, organizations should first map out the detection, response, and recovery responsibilities for both themselves and their SaaS providers.

Proactive steps include establishing clear points of contact for incident coordination for both the SaaS provider and the organization and understanding escalation paths. This ensures smooth communication during an event, reducing delays and confusion. Reviewing service level agreements (SLAs) can also clarify expectations around response times and responsibilities.

Preparation is key. Create incident response playbooks tailored to SaaS scenarios and run tabletop exercises to test them. Some SaaS providers even participate in joint exercises, providing valuable insights and fostering collaboration. These steps ensure both parties are aligned and ready to act when challenges arise.

What advice do you give customers regarding their responsibilities in meeting compliance requirements (e.g., GDPR, HIPAA) when using a shared SaaS service?

When it comes to compliance, the division of responsibilities depends on the SaaS provider and the regulatory framework in question. For example, some platforms are HIPAA-compliant out of the box, while others may require customers to configure compliance settings or certify their use case with regulators, like APRA’s requirements for certification.

To navigate this, organizations should assess how their compliance obligations intersect with the provider’s shared responsibility model. By clearly identifying what the provider covers and what’s left for the organization to manage, customers can ensure their compliance strategy is both effective and efficient.

What steps can customers take to proactively manage and validate the security controls implemented by their cloud providers?

While trust is foundational in any SaaS relationship, trust but verify is key in security. Organizations should regularly review the controls implemented by their cloud providers. Resources like certifications, third-party attestations, and penetration testing reports can provide insights into provider-managed controls.

Beyond reviews, some SaaS providers allow customers to conduct their own security assessments or penetration tests, further validating the security of their specific implementation. Providers often have teams available to guide these processes, fostering collaboration and building confidence in the shared security posture.

By engaging in proactive validation, organizations not only strengthen security but also deepen their partnerships with SaaS providers, ensuring shared success and trust.



Source link