Moving to the cloud and consuming SaaS introduces new risks for security practitioners that must be carefully managed. When selecting a SaaS vendor, thoroughly evaluating their security is critical to protect your data and users. This SaaS vendor security checklist provides a framework to analyze key security capabilities during your due diligence process.
Product Security
Identity and access management features like SSO, MFA, and robust user management
Granular access controls and configurable sharing policies
Auditing capabilities to track access and changes
Encryption for data in transit and at rest
App Security
Evidence of secure development practices like training, threat modeling, and static code analysis
Annual penetration testing by respected security firms
Secure coding practices and vulnerability management
Infrastructure Security
Cloud infrastructure documentation showing security best practices like defense in depth, least privilege, and minimizing attack surfaces- Example: Ensure lateral movement across networks is restricted
Network security following cloud provider guidelines - AWS services like CloudFront, WAF, security groups, VPCs
Operations and management security with MFA, role-based access, just-in-time access
Logging, monitoring, and alerting to detect threats across all infrastructure layers- Example: Have anomaly detection to detect suspicious activities and compromised credentials
Compliance
Relevant certifications like SOC 2, ISO 27001, etc. based on your regulatory requirements
Industry or region-specific compliance as applicable
Conclusion
Using this SaaS vendor security checklist will help you perform thorough due diligence and risk analysis. By evaluating product security, application security, infrastructure security, compliance, and security responsibilities, you can gain assurance that a SaaS provider has the necessary controls in place to protect your data and users.