Software as a service (SaaS) vendors should be held to higher standards than traditional product providers.
Writing on searchfinancialsecurity.com, Russ McRee, founder of holisticinfosec.org, claimed that while software, operating systems and physical security products all fall under existing vulnerability management frameworks, SaaS vendors may need to meet certain industry compliance requirements as the scrutiny of SaaS security is not up to par with the security of their traditional product counterparts.
McRee said: “Someone providing SaaS on your behalf is also supposed to be providing you and your customers with physical, network and application security. Take it down to the simplest common denominator: What is the value of your data?
“As a financial service, few would contend that there is no more valuable data than what you keep for your customers. You owe it to those customers to ensure that their information is safe; thus your SaaS vendor owes it to you in equal measure.
“An enterprise is only as strong as its weakest link, and if someone else is managing that link for you, you have some questions to ask before marrying your business to theirs.”
He advised businesses to review their SaaS contract language and ‘consider additions that enhance your security posture as you prepare to purchase services'.