Enable breadcrumbs token at /includes/pageheader.html.twig

Sponsored: Three Security Must-Haves When Evaluating SaaS Solutions

A mini guide to securely onboarding a software as a service partner.
By John Greenstein, General Manager of Public Sector, Bluescape

While improved service delivery and return on investment are top-of-mind procurement objectives when choosing a Software as a Service (SaaS) partner, federal agencies must equally prioritize “security first” measures to ensure vulnerable legacy systems are protected in today’s digitally dominated climate.

The President’s Executive Order on Improving the Nation’s Cybersecurity requires agencies to develop standards to prevent cyber incidents and transform government systems into safe and trustworthy digital infrastructures with zero-trust architecture as laid out in the Office of Management and Budget’s (OMB) federal strategy issued January 26, 2022.

This is no easy feat but with due diligence and prioritization, government agencies can protect against increasingly malicious actors by ensuring these three security must-haves:

1.)   Don’t Sacrifice Security for Agility

Cloud-based software may provide the features your teams need to be productive, and freemium software may be easily accessible, but many of these solutions take shortcuts when it comes to security. This can also pave the way for shadow IT, the use of systems, devices, software, apps and services outside of an organization’s approved infrastructure. This limits the visibility and ability to manage, and potential security and compliance risks that can arise. Make sure to properly investigate security accreditations, encryption methodologies and access controls.

A good place to start is the FedRAMP marketplace. This is a directory containing vendors and products that have been properly vetted and are continuously being monitored by executive branch entities. This lessens the time, money and diligence required to assess the integrity of Cloud Service Providers (CSPs).

2.)   Prioritize Zero Trust Architecture

January’s OMB memorandum outlining the zero-trust strategy is a reminder that, though the concept may sound strenuous in theory, it is an achievable requirement every agency must prioritize. Implementing zero trust doesn’t have to be complicated, especially when the Cybersecurity and Infrastructure Security Agency (CISA) is guiding federal agencies along the way.

At its core, zero-trust architecture protects critical assets and data from the inside out to establish full visibility of threats and detect suspicious activity. Waiting to implement zero-trust measures can open agencies to significant risks that could otherwise be thwarted. Proactive prevention measures are imperative to maintaining a “never trust, always verify” model.

Additionally, software should be certified by enterprise-grade security measures. For civil agencies, FedRAMP is key. For DoD agencies, Impact Levels (IL2, IL4, IL5 and IL6) go a step further. Secondly, providers should offer both cloud and on-premises deployments of the software. Flexible deployment options ensure you can secure and manage content and communications to best align with your existing infrastructure and needs. Other best practices include multifactor authentication, endpoint detection, rigorous testing and more.

3.)   Know How Data Is Used and Stored

Do you know where your organization’s data is being stored? If the answer is no, you’re not alone. According to a study conducted by IoD and Barclays, 43 percent of users do not know where their data is physically stored and 59 percent rely on outsourcing their data storage. Knowing where your data is being stored and used is key to securing it, especially if the data is stored outside of the United States. A company may have its headquarters in the United States but if data travels through overseas servers, you must be aware of all storage and management locations. This is not only a matter of compliance but may also be one of national security. Unfortunately, not every SaaS company is forthcoming with its data center locations, so it’s critical that agency leaders cover their bases in the procurement process and seek United States-based data centers.

Avoiding security pitfalls is about more than simply complying with standards. Agencies and vendors alike must place security at the center of all they do to protect national security in an increasingly high-stakes threat landscape.

Click for more information.