Home Providers Security Brief Semantic

Security

And PCI Compliance

Risk of Breaches

Data breaches in 2016 cost business an estimated $2.1 billion, four times that of the year before. The Panama Papers publishing of last year "revealed 11.5 million leaked financial and legal documents of client data... [and] put at risk 12 former country leaders, 29 Forbes-listed billionaires, and 214,000 companies, trusts and foundations, among others" (Finances).

Security Concerns

While the SaaS model can be a useful tool in cutting costs for small businesses, there are definite security concerns to consider. "As if the worry about securing data within a corporate network isn't enough, securing data when it's in somebody else's network is even more complicated" (Cloud). Prior to SaaS, security and compliance could generally be condensed to a few critical tasks: identify data, it's location, and it's encryption; identify users and privileges; and document this information for audit and regulation. SaaS complicates these processes, making it difficult for a customer to determine where and how their data is residing on a provider controlled network.

PCI Compliance

Software as a Service affects compliance with a number of regulations, but most notable is the Payment Card Industry Data Security Standard (PCI DSS). This standard explicitly calls for "service providers" and merchants of any size to be be compliant and acknowledge their responsibility in protecting client credit card data, and that each client of the hosting provider only have access to its own cardholder data environment. As SaaS providers service many customers, this means user or company data may be sitting on the same servers as someone else's data, potentially a competitor. Additionally, access controls of this data sit in the hands of the providers, meaning that login credentials are stored on provider servers.

While they can claim for these to be secure, careful management of user accounts is imperative when the provider handles authentication. "Access has to be revoked for users leaving the company, which is easier when done in-house" by the company's own systems(Cloud). Direct integration with the companies directory services for authentication is an option now available from a number of service providers. Finally, as access to logs is required for PCI compliance at the request of auditors and regulators, it is important to negotiate access to internal logs from the provider as a part of your service agreement to make for easier monitoring and in the event of an investigation.