ISO 27001 certification not enough for verifying SaaS, cloud security

As SaaS and cloud vendors promote security standards like ISO 27001 or SAS 70, experts urge users to delve deeper. What matters is that vendors meet your security needs.

In May 2008, customer relationship management (CRM) software provider Inc. trumpeted that it was the first publicly traded Software as a Service (SaaS) vendor to achieve ISO 27001 certification, an international standard intended to demonstrate a sound information security management system. The adoption of the detailed information security standard was companywide, an expensive undertaking.

A year and a half later, analysts who follow information security generally applaud's move. Even as the many vendors now selling SaaS and cloud services rush to assure customers of their information security practices, San Francisco-based remains one of a handful to have adopted the rigorous standard, analysts said. While ISO 27001 might not be the business differentiator claims it is, there is still no one information security standard for SaaS or cloud providers. However, these same experts caution that neither ISO certifications, nor other industry-specific stamps of approval, relieve CIOs or business users of the responsibility to grill their SaaS or cloud provider about security procedures.

"I will hand it to Salesforce for taking the step of doing that," Burton Group Inc. analyst Eric Maiwald said of the ISO 27001 certification. "But I still think there are questions that need to be asked of Salesforce -- or any SaaS or cloud vendor -- about what they might be doing internally." (See sidebar.)

More important than a security certification is whether the vendor's controls meet an organization's data security requirements, said Maiwald, a vice president and research director in the security and risk management strategies group at Midvale, Utah-based Burton. Of course, to make that judgment, an organization must understand whether the information it puts in the cloud is sensitive and why.

"Before you walk into these applications out in the cloud, you should have your house in order," Maiwald said.

Danger in taking information security standards at face value

A good example of a standard that begs more questions than it answers, according to analysts, is the Statement on Auditing Standards No. 70 (SAS 70), developed by the American Institute of Certified Public Accountants to assess the contracted internal controls of a service organization. SAS 70 Type I relies on an assertion from the company about its controls. SAS 70 Type II means the controls have been evaluated. Both cost plenty of money to get, said Gartner Inc. analyst John Pescatore, but neither will tell you what you need to know about a provider's data security.

"SAS 70 makes the auditors happy. It does not make the security people happy. Because it is a process audit, it is not really making sure that the service provider is protecting the company data, just that they are following all processes," said Pescatore, vice president and research fellow at Stamford, Conn.-.based Gartner.

Maiwald is even less enthusiastic. "The vendor paying for the SAS 70 Type II defines what is in scope and what is out of scope. So if I am a vendor paying for the SAS 70, I am going to define what is in scope as the stuff that I do really well. Why would I do otherwise?" he said.

Some smaller vendors, when asked about a SAS 70 audit, simply give customers their colocation provider's assertion, Maiwald said. "This may have talked about power and the backup generators and physical security around the facility. It does not say anything about the software development process of the particular application, the controls the vendor is putting on authentication of customers or who has access to their systems, yet the customer accepted it."

Making matters more complicated, many SaaS vendors will give out only the cover letter attesting of the SAS 70 Type II approval. Very few hand out reports, and those that do usually require customers to review the audit at their premises and under strict time limits. "You have to know what you are looking for," Maiwald said.

Shared Assessments guideline, RI3PA

ISO 27001 is different, as it is "pretty much the standard most enterprises hold themselves to," Pescatore said. "If I were running my data center and making sure it was compliant with 27001, I would certainly want to make sure my service providers were at least as secure as I am."

In the absence of a single security standard, certain industries have developed their own tools for vetting cloud vendor security. The banking industry, for example, has Shared Assessments, a member organization formed to evaluate the security of the controls of service providers. The credit-checking business Experian Information Solutions Inc. uses RI3PA, a framework based on the Payment Card Industry Data Security Standard,, to evaluate the security of its resellers.

Demonstrating sound security practices is the "barrier to entry" for any cloud or SaaS provider who hopes to remain viable, said Pescatore. "It's a requirement, no longer a competitive advantage."

The user take on the ISO 27001 certification

Certainly, stands by the value of its ISO 27001 certification.

In 2008, the adoption of the security standard drew "an immediate positive response" from the vendor's international customers, "as they understand the value of this standard," said Izak Mutlu,'s vice president of information security, in an email. "However, during the last year, we have seen an increased group of customers (both domestic and international) asking, and in some cases requiring, the use of ISO 27001 certification in contracts."

So how important is the certification to customers? That seems to depend a good deal on whether the customer is a business user or in IT.

"For us, the security certification is not that big of an issue," said Brian Fabry, a sales analyst at Genzyme Corp. Make no mistake, added Fabry, a director of CRM for three business units, security is a huge issue at the Cambridge, Mass.-based biotechnology company, where the work involves highly sensitive medical and patient information. But the Web-based CRM software from is a field service tool for the company's mobile salespeople. "To have it a little more open is actually better for them. They don't have to go through the VPN to access what they need."

A customer since June 2008 --"We had a very good deployment," he said -- Genzyme is on its fourth CRM tool, having tried a hosted application from Siebel Systems Inc., SalesLogix from Sage Software Inc. and a homegrown tool. Buy-in was the main problem, according to Fabry. Salespeople tended to look at the software as a corporate "management tool" to track metrics rather than a better way to manage customers, he said.

Maurice Plourde, divisional vice president of IT at Caliper Life Sciences Inc. in Hopkinton, Mass., not surprisingly, had more concerns about the tradeoffs between unfettered access and the security of the software.

"On the one hand, it is ubiquitous -- you can get to it from everywhere, assuming you have access to the Internet, so that is a real plus. Data security is a different issue," Plourde said, particularly in light of 201 CMR 17.00, the new Massachusetts data protection law slated to go into effect in early 2010.

The Massachusetts law stipulates, along with other measures, that personally identifiable information (a person's name together with a Social Security number, for example) must be encrypted when stored on portable devices, or transmitted wirelessly on public networks. The law was recently revised to ease a requirement holding third parties accountable to the security rules. Under the original law, companies had to attest that a third-party provider was compliant with the regulations.

But Plourde pointed out that the law has yet to be tested. "What is the interpretation of compliance? This could be problematic for Salesforce," he said.

As for's ISO 27001 certification, Plourde agreed that more important than any standard is whether the provider's practices meet your company's security standards. "You have to verify and validate that they follow your procedures."

Let us know what you think about the story; email Linda Tucci, Senior News Writer.

Dig Deeper on Compliance framework software