What happens when an incident has occurred in your SaaS environment? It’s important to have an actual solution, meaning that you must have the plan, the tools, and the resources to look after it.
If you have a security or privacy incident, the next steps are to profile and assess it, and respond to it, all the while keeping regulatory compliance in mind. How much information you get from a SaaS provider depends on your service level agreement (SLA), and sometimes what level of logging, auditing and service you are paying for.
In an ideal scenario, you can collaborate with the SaaS provider on mapping out your key incident response scenarios. It is rare that an SLA will include this kind of detailed preparedness work. No matter what the SLA says, it is still critical for you to fully understand which systems, monitoring tools, and response processes the SaaS provider has available and who your key contacts are.
Moving workloads, industry applications, and business critical systems to software as a service is a strategy that is here to stay. The benefits are far too substantial to ignore. With enablement being the matter of a few clicks and perhaps a credit card number, “shadow IT” isn’t a marketing term, but rather a very real situation that is constantly evolving. If you have responsibility for ensuring that your company’s data and intellectual property is secure and that it meets its privacy obligations, then my advice is to make sure you have a clear and well-communicated “SaaS onboarding” strategy. Your would-be “shadow IT” folks don’t want to hear “no” or they’ll go and do their own thing. But if you have a plan and an approach for them to follow, then it’s only natural that they will follow this path of least resistance, the path where you enable their identity management and facilitate security and compliance for them.
Finally, a shameless plug for New Signature’s cloud-managed services really does make sense here. Because security configurations, options, and facilities vary by cloud service and are constantly changing, working with a team dedicated to staying current and providing industry best practices certainly has its advantages. Our managed-service team has the benefit of working with many customers, through many different events and scenarios. They bring all this expertise to you, so that you don’t have to gain and maintain this information at the pace of the Cloud and can go back to adding value specific to your business.
Other installments in this series: