Do You Trust Security Certifications?

Introduction

Do you trust security certifications when acquiring SaaS/PaaS solutions? Do you accept SOC 2, HIPAA, ISO 27001, PCI-DSS, GDPR certifications as evidence of secure practices and, perhaps, quality? If you see a vendor is certified, do you still ask your own questions and request evidence? If you do conduct your own review, are you qualified to do so and what do you look for?

The reason for the questions is quite simple: many organisations I work with always want to perform their own reviews. Admittedly, many organisations I work with operate in areas with elevated data protection requirements, however they like to select vendors that have security certifications as it gives confidence, but they don’t seem to fully trust them. But why …….

The Cloud Providers Used to be Scrutinized

I always found this an interesting practice. In the early days of the Cloud, organisations with inferior security principles, limited insight, and poorly skilled staff in security roles, would interrogate the Cloud providers to seemingly assess their credentials. It was impossible for these organisations to fully assess the capabilities and practices employed by the Cloud providers, but that didn’t stop the theatricals. Some of the world’s leading security and process experts are responsible for designing and building the public Clouds, but they were made to jump through hoops to satisfy potential customers, like it was a rite of passage.

Thankfully I see this less and less. One reason for seeing less of this behaviour is that a large majority of organisations have now adopted one or more public Clouds. But there are other reasons too.

One of the key drivers for the initial scepticism around the Cloud was a lack of understanding. If you haven’t experienced a technology or approach before, like fully automating secure infrastructure provisioning, you can’t imagine how it is possible. If your own security practices are poor, you believe everyone else is similar or only slightly better. If your infrastructure is chaotic and unmanageable you think this is normal. This lack of vision means a lack of trust. A lack of trust means you want proof before you can accept.

Why would a Cloud provider treat your valuable data as carefully as you do?

Over the last 17 years, since AWS was first released to the public, and other Cloud providers followed shortly afterwards, most organisations have overcome their fears of the Cloud. Governments, secret services, global banks, medical institutions, all use the Cloud. The questions of security, and data safety and sovereignty have generally faded into the background. Organisations have matured and are typically happy to accept the Cloud is a secure place to cohabit.

Part of this maturity is through the certifications the Cloud providers have acquired. Independent experts have attested that the Cloud providers are exceptionally secure.

Another part of this acceptance has come from an organisation’s exposure to the Cloud. Through direct application and learning, organisations have matured to more fully understand Cloud capabilities and security practices. This insight has brough reassurance and comfort. Perhaps more importantly, organisations haven’t seen data being leaked, or large security breaches from the Cloud providers – unlike some negligent SaaS/PaaS providers. They have seen the Cloud providers respecting and protecting their client’s data; let’s face facts, the Cloud providers wouldn’t last long if they didn’t! Organisations now realize the Cloud providers perform far better at protecting infrastructure and data, as they do indeed employ the world’s leading security experts.

What is a Security Certification?

Security certifications cover half of the proof potential customers currently want to see before they can fully trust a provider.

Normally a potential customer will want to understand the provider’s technology landscape through high-level designs and architectural diagrams. They will also want to know how the provider implements their non-functional requirements: their integration options; their Service Level Agreements (SLAs), their ability to scale; their resilience; their backup strategy; their infrastructure segregation for multi-tenancy; their authentication and authorization approach; etc. Potential clients want to know the provider’s technology is sound and will support their own requirements.

The second half of this proof covers how a provider operates and manages their organisation: their processes; their standards; their security procedures; their approach to handling incidents; their approach to privacy and handling data; their approach to confidentiality; their approach to risk assessment and mitigation, etc. Potential clients want to know their data is safe and if there is an incident that it will be handled appropriately.

It is time-consuming to provide this level of detail to every potential customer. This is exacerbated when every potential customer wants to delve deeper, to answer their specific questions, to understand more for personal interest and gratification. Providing a bespoke pre-sales service for a SaaS/PaaS solution can be incredibly expensive from a time point of view, and often diverts typically senior employees from their day-to-day role.

This is where security certifications [should] help the SaaS/PaaS providers. When a security certification is undertaken, experts perform detailed reviews in a range of areas across the organisation. These reviews determine how fit the organisation is to, for example, safely and securely handle their client’s data. Experts perform interviews, review documentation, examine processes, evaluate technology platforms, deploy analysis and monitoring tools, embed specialist to observe and report. If an organisation has obtained a certification, the associated experts are saying the organisation is sound in the area(s) the certification covers.

Different certifications focus on different areas of an organisation, but there is significant overlap. This is why you will often see SaaS/PaaS providers have several certifications:

• SOC 2 – a System and Organization Controls (SOC) 2 Type 2 audit is performed by an independent CPA (Certified Public Accountant) or accountancy organisation. A SOC 2 audit report provides detailed opinion from the auditor and information and assurance about a service organisation’s security, availability, processing integrity, confidentiality, and privacy controls. The audit is comprehensive, lasting (typically 6) months, and resulting in a formal attestation rather than a certificate.
• HIPAA – The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law and set of standards that protect sensitive Patient Health Information (PHI) from being disclosed without the patient’s consent or knowledge. This protection covers both the privacy of the data and the security of the data, particularly within an electronic environment. All organisations operating in the healthcare industry in the US must comply with HIPAA regulations, but are not required to be certified. Organisation and workforce certification provide reassurance that the organisation is operating within the HIPAA standards, at a point in time.
• ISO 27001 – an ISO 27001 certification, the international standard for information security management, shows that an organisation has implemented an Information Security Management System (ISMS) that conforms to information security best practice. The audit assesses an organisation’s information security controls at a given point in time. An accredited certification body confirms that the organisation has implemented an ISMS that conforms to the Standard’s best practices.
• PCI DSS – Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that are specific to processing credit/debit card payments. Whilst this security standard is very specific, its compliance is essentially mandatory and is designed to ensure that companies that accept, process, store or transmit credit card information maintain a secure environment. This is imperative as credit card information that falls into the wrong hands can be used to make fraudulent payments.
• GDPR – the General Data Protection Regulation (GDPR) relates to how personal information is stored and processed within the EU and UK. There are no requirements for certification but holding a certification from a recognised and respected assessment body can help demonstrate a commitment to information security and data protection best practices. Certifications are available for individuals and organisations.

I am “fortunate” to have supported some of my clients through certification processes. It isn’t fun, and that’s me being positive. You can’t even consider starting a certification process unless you already have strong organisational processes, procedures, policies, and automation in place. If terms such as DevSecOps, just in time (JIT) access, Privileged Account Management (PAM) seem foreign then you’re probably not in the right space yet. Similarly, if you don’t have end-to-end encryption (encrypted data in-transit and at rest) or policies and procedures for rotating your encryption keys, you need to look internally before thinking about certification. But that is exactly what a security certification is for – it ensures you are following the latest best practices.

If you believe your processes, procedures, policies, and automation and suitable for achieving a certification, there is still a lot of effort and cost involved. In the case of SOC 2, for example, the process typically takes 6 months, and many senior employees will have to dedicate time. Not to mention the cost of paying for the certification process. You will need relevant documentation and diagrams, be able to show how processes are automated, and allow experts to evaluate your infrastructure.

Having been exposed to certification processes, I trust them! I’ve seen how thorough the assessments are. If a SaaS/PaaS provider has relevant security certifications and a suitable technology landscape, I trust them too.

Scrutinizing SaaS and PaaS Solutions

So, why doesn’t everyone trust the security certifications?

Similar to how the Cloud providers used to be scrutinized during the early days of the Cloud, it is still relatively early days for SaaS and PaaS providers and security certifications. As such, there is once again a general lack of understanding amongst potential customers as to the best practices that are being adopted by the SaaS/PaaS providers: real-time threat analysis; zero-trust networks; bring your own encryption; just in time access; etc. This lack of understanding includes the provider’s security certifications, and the role they afford as proof of capability and security.

Like in the early days of the Cloud, data security also proves to be an area where trust is lacking. There is general acceptance nowadays that Amazon, Google, Microsoft, etc. employees can’t wander around their customers’ Cloud deployed infrastructure, browsing their data. But this level of trust hasn’t made it to SaaS/PaaS providers, yet. Potential clients, especially ones that don’t fully appreciate the security certification processes, still believe that a SaaS/PaaS provider’s employees can, indeed, simply access client data. Whilst there are very public examples of SaaS/PaaS providers’ infrastructure and data being breached, these occurrences are greatly reduced for certified organisations.

Perhaps one of the hardest challenges to overcome, however, is the general belief that potential clients somehow have the right to scrutinize the internals of a SaaS/PaaS provider. This belief seems to stem from the idea that technical staff within the client organisation are somehow fit and proper to perform realistic analysis. Could this analysis be better performed than that of a certification body? Are the technical staff within the client organisation familiar with the latest security practices or, are they just trying to justify their role as a SaaS/PaaS provider takes on operating technical capabilities on their behalf?

Regardless of which of the reasons above are in play, scrutinizing a well-certified SaaS/PaaS provider seems to add little value, and simply delays adoption and the true value that could be realized.

Are Security Certifications Worth It?

I would say yes.

Whilst many potential clients don’t fully trust certifications, yet, and there is a lot of pre-sales activity to endure, trust is building. Similar to the experience of the Cloud providers, as technical decision makers are increasingly exposed to security certifications trust will grow. As organisations with security certifications build a solid reputation, trust will grow. As collective trust grows, the balance will tip, and organisations that don’t have certifications will be frowned upon and will fall by the wayside.

I anticipate we will see a direct correlation between the un-certified SaaS/PaaS providers and an increase in security breaches. Whilst any security breach is harmful to the industry, this correlation will naturally lead to increased confidence in security certifications. Whilst not fool-proof, or a guarantee of absolute security, certified providers will begin to dominate the Cloud platforms and for good reason.

And finally, if you are a SaaS/PaaS provider, ensuring your processes, procedures, policies and technology stand-up to the scrutiny of external auditors must be a good thing. The auditors check that your organisation meets the latest best practices and standards, which builds both public and internal confidence. Compliance now ensures you are building a solid organisation for the future.