The zero fluff guide to navigating enterprise information security assessments

Prologue

Hello! If you've stumbled upon this note, you are perhaps looking to sell SaaS to large enterprises. We've been in your shoes, and through our blunders, we've learned a few things about how young SaaS companies can present a strong case for their Infosec posturing. As part of this note, we shall also cover some basics of ISO 27001, SOC 2, and GDPR and how compliance with these standards could provide a competitive edge in the sales process.

The context

Let's take the example of a hypothetical large pharma company called Skull Pharma Inc., with manufacturing in India and customers in multiple geographies, which includes India, the US, and parts of Europe. Also, the company works with vendors across several geographies, which again include India, the US, and maybe some parts of Europe.

Such an organization would have potentially sensitive data of the following types:

• Confidential pricing information for their finished goods
 
• Confidential cost information for key inputs
 
• Personal Identifiable Information (PII) in the form of email IDs, phone numbers, and possibly the medical history of individuals
 
• Results of clinical trials or bioequivalence studies of pipeline products

Given the size and sensitivity of data that such an organization would handle, it is imperative that they comply with the highest standards of information security, which would typically manifest in compliance with ISO 27001, SOC 2, GDPR, and some guidelines like ISO 27018.

How does the buyer's compliance to Infosec standards impact the sales process?

When an organization is compliant with ISO 27001, SOC 2, or GDPR, it is necessary to ensure that their software vendors are equally compliant with these standards (even if they are not formally certified) and their sensitive data is in good hands. The recent spate of cybersecurity attacks and data breaches at Facebook, Scripps Health, JBS, Dr. Reddy's, Astra Zeneca, and several others show that attackers are becoming savvier, and enterprises across the globe are increasing their Infosec budgets.

Consequently, there are three ways the sales process for Enterprise SaaS gets impacted.

1. Large enterprises asking for software to be deployed on-premise, which is a very expensive option but is perceived as more secure
 
2. Large enterprises are paying 4-5x higher subscription fees for 'legacy' tools or 'established players' which are perceived to be 'more secure.'
 
3. Large enterprises put very stringent checks and evaluation criteria for Infosec compliance for their software vendors.

Now, here is a typical situation during the enterprise sales process that we've seen several extremely promising SaaS companies find themselves in.

Jeremy, the business user:

Jeremy has done an extensive pilot with your product, and your product is loved not only by Jeremy's colleagues but also by Jeremy's suppliers. As a young and nimble SaaS start-up, you've absolutely nailed all aspects of the UX and have CSAT scores that have shot through the roof.

Jacinda, the Finance team member:

Jacinda has done an extensive cost-benefit assessment of your SaaS product and finds that you can potentially deliver an IRR of ~300-400% over a five-year period, even at conservative adoption levels.

Jacob, Head of IT procurement:

Jacob has made a quick pre-proposal comparison of your SaaS product's subscription cost with your peers and legacy competitors. While Jacob doesn't find you to be the cheapest, he also acknowledges that you are priced fairly for the value that Jacinda thinks you provide. Of course, Jacob is likely to negotiate with you in the end and stop only when you are on the verge of starting to weep.

Janice, the IT ERP team leader:

Janice is the gatekeeper for all things ERP. Janice has nurtured the company's ERP systems with her hands, and she will not let any garbage flow in or flow out of it. You've somehow managed to ensure smooth integration with Skull Pharma's ERP using Mulesoft or similar tools, and your initial system integration testing is successful. While Janice doesn't like you yet, she doesn't hate you either.

So now, Jeremy and Jacinda are filled with glee, Jacob broadly likes you, and Janice doesn't hate you. Should you tag the account as 'decision stage' in your CRM yet?

Not yet; there's another stakeholder.

Stonecold, the Chief Information Security Officer (CISO)

Stonecold has asked you ~30 questions about your Infosec practices and is not confident about how robust your Infosec posturing is. You've provided satisfactory responses to only half of Stonecold's questions and Stonecold has disqualified you.

Why did Jenn do that? Because if Skull Pharma's data is handled irresponsibly, they lose a lot more to lose in terms of goodwill than they could save by opting for you against your 'legacy' competitor that is perceived to be more secure.

How could we avoid such a situation and make Stonecold our strongest supporter within the organisation?

We spoke to several SaaS companies in India and the US that have successfully closed $100K+ deals with large enterprises, operating in spaces where there are legacy players or on-prem alternatives. We've tried to distill the learnings below.

Role-based access

Stonecold would be happy to understand the various user roles and access controls associated with the various modules within your product.

An example of how role-based access can be explained could be (not exhaustive):

Infra and Storage

Since there are multiple deployment models available, the CISO would be keen to understand the model that the SaaS vendor follows and the controls associated with it.

• In which geography is the data hosted (for e.g., if there are multiple EC2 instances running in different geographies, mentioning all of them is important)
 
• Does your SaaS platform have multiple tenants mapped to a single instance? Or is every account mapped to a separate instance?
 
• How are the databases created in case of multi-tenancy? Do multiple tenants share a common database?
 
• How frequently are the databases backed up? After what period is the data archived, and what is the retrieval policy?

Based on their comfort, the CISO could be OK with a multi-tenant architecture, could ask for complete on-prem deployment, or could settle for a middle ground by asking for the creation of a dedicated instance of the software on their private cloud. Each alternative will have a different time and cost implication for the SaaS vendor, but if the security posturing is established upfront, the SaaS vendor can negotiate like an equal.

Both ISO 27001 and SOC 2 clearly outline the best practices around how databases should be secured. We could share what we've learned, too, sign up for a free consultation.

Logging

A very important element of the SaaS vendors' security posturing is managing unauthorized/suspicious attempts to access the platform. It helps to answer the following questions proactively.

• Which users (or user groups) have access to client data?
 
• Are there any third-party applications that would indirectly access the client's data?
 
• What tools do you use for logging (e.g., AWS Cloudwatch)?
 
• How are suspicious or malicious login attempts identified (access control failures, server-side input validation failures)?
 
• How will server logs be monitored and alerted (e.g., unexpected events such as SSH connections from a new IP address)?

Network and Communication Security

Any data for which access and disclosure are restricted to a limited (specified) set of users or user groups classify as confidential data. Examples of confidential data include internal price lists and other types of sensitive financial information. Encryption is an important control for protecting confidentiality during transmission.

• Are network and application firewalls used to safeguard information being processed or stored on computer systems?
 
• What version of SSL/TLS is being used? Are you using a version that is deprecated? Usually, the CISO would raise a red flag if the vendor is using a version older than TLS 1.2
 
• Which is the certifying authority for the SSL/TLS certificate?
 
• Are Virtual Private Clouds enabled on the Cloud Service Provider to ensure Network Security?

Session Management

Managing sessions is an important task. Large enterprises have strict policies around. SaaS vendors must exhibit flexibility around session management and align with the target organization's policies. Some of the important questions are:

• How are new sessions managed (e.g., using Tokens)?
 
• Can clients configure rules to allow multiple sessions for a user/restrict to a single session?
 
• What happens to existing sessions when an account is deleted, or the password is changed?
 
• Can the client configure expiry rules for the JWT tokens?

Application Security

Most controls related to application security are laid down in the ISO 27001 and SOC 2 manuals. Broadly, most enterprise security assessment questionnaires would seek answers to the following questions:

• Are Web Application Firewalls used to protect from common exploits?
 
• What protocol is used to allow secure authorization through all applications (e.g., OAuth2.0)?
 
• Does the application support Single Sign On (SSO)?
 
• Is data encrypted at rest?
 
• Does the application use API Rate limit to prevent brute force/DoS attacks?
 
• How are cross-domain requests handled? Is CORS enabled?

We could share our experiences on how we've seen the best SaaS companies manage their application security practices, schedule a call with us (it's free)

Other Miscellaneous Questions

Apart from the most commonly occurring pointers that we covered above, we've also seen some specific questions that certain enterprises like to ask SaaS vendors. We've tried to compile a list here (many of these would get covered as part of the ISO 27001 and SOC 2 compliance process):

• How are MITM attacks prevented? Are all insecure HTTP requests redirected to secure HTTPS?
 
• Are development, QA, staging, and production environments equally secured?
 
• Are all environments configured to the Principle of Least Privilege (access granted only to those who have a legitimate need for the information)?
 
• How frequently are Vulnerability Assessment tests carried out (the CISO could ask for a recent report)?
 
• How frequently are external penetration tests carried out (the CISO could ask for a recent report)?
 
• What is the Disaster Recovery plan followed by the SaaS vendor?

Hopefully, with most of the above questions answered, Stonecold will support us in the enterprise sales process. With 90% of the job done right, not being able to cross the CISO barrier due to inadequate/incorrect Infosec posturing could be a real heartbreak. It's best to seek a meeting with Stonecold proactively and be transparent about your infosec posture upfront, even before the team asks for it.

We help SaaS companies of all sizes create their security posturing and automate tasks related to ISO 27001 and SOC 2 compliance. We won't just provide a tool; we'll ride with you till the end of the line.

Visit us at scrut.io or schedule a demo