Simply put, SaaS security refers to a set of practices put into place by the provider to protect its assets that are involved in the software-as-a-service architecture.
Why is SaaS Cybersecurity a Priority?
Threat actors are particularly attracted to environments that deploy SaaS solutions because of the volume of sensitive data that can be stored there. Data like PII (personally identifiable information) trigger hackers, and that is why security for SaaS applications becomes vital.
As outlined by the Cloud Security Alliance (CSA), cloud service providers adhere to a shared responsibility model for security controls. This means your security team maintains some responsibilities for security as you move applications, data, containers, and workloads to the cloud, while the provider takes some responsibility, but not all. We discuss the importance of these shared responsibilities in the latest episode of the Reimaging Cyber podcast with Jim Reavis, co-founder and CEO of CSA.
With a SaaS service, the service provider is responsible for security controls associated with the physical, infrastructure, network, virtualization, operating system, and application layers of the solution. The consumer of the service is responsible for their data and user access management for their instance. So, the consumer and the SaaS provider share the responsibility for protecting the data used in the service.
ISO 27001 Certification
Providers leverage regulatory frameworks to demonstrates a level of commitment to security that can offer peace of mind to their customers.
One such security certification is based on a standard by the International Standards Organization (ISO). The ISO 27001 certification demonstrates that an organization has invested in the people, processes, and technology (e.g., tools and systems) to protect their organization's (or in this case SaaS offering’s) data and provides an independent, expert assessment of whether the data is sufficiently protected.
CyberRes Hits a Major Milestone
I’m happy to share that we have successfully completed ISO 27001:2013 certification of the Information Security Management System (ISMS) for the current CyberRes SaaS offerings (note, the CyberRes products themselves are not ISO-certified):
Security Operations (SecOps)
- ArcSight Intelligence for CrowdStrike (aka Interset)
- ArcSight Recon (aka Log Management and Compliance)
- Galaxy Public (aka Online)
- Galaxy Threat Acceleration Program Basic (GTAP)
- Galaxy Threat Acceleration Program Plus (GTAP+)
Identity and Access Management (IAM)
- NetIQ Advanced Authentication (AA)
- NetIQ Identity Governance (IG)
- Voltage File Analysis Suite (FAS)
- Voltage Secure Mail
Application Security (AppSec)
- Fortify on Demand (FoD)
- Fortify Hosted
You can see the status of our ISO 27001 certifications along with others on the CyberRes Certification and Standards page.
Getting every CyberRes SaaS offering ISO certified in one go wasn’t easy. But we aren’t done! Next up is a dual path of SOC 2 Type 1 audit attestation and FedRAMP Authorization for the IG, AA, FAS, and ArcSight Intelligence SaaS solutions.