I often come across founders or business leaders who bear responsibility for the SaaS (Software-as-a-Service) or cloud-based software products owned by their company or built for their clients. Unsurprisingly, they're usually concerned about getting security and compliance right. This is just as it should be considering that 25% of cyber attacks are launched at SaaS apps and 80% of all data breaches involve those apps. Sometimes though, it's not clear what should be required, security or compliance, or how those work together? Let's clear that up.
What's Security Anyway?
Bare with me, I know that may seem like a silly question, but the intuitive flow of the answers that follow in this post will make it worthwhile.
Essentially, security is the art and science of ensuring that the jewels are secure. For just about any SaaS app, and particularly for SaaS apps in sectors like finance, healthcare, or Energy... this usually means protecting the highly personal data, privacy, mental wellbeing, and even livelyhood of the app's customers. Of course, protecting those jewels is also equivalent to protecting the viability of the company that provides the app.
So What's Compliance Then?
Compliance simply means verifying that security is happenening and happening correctly. That is, that the SaaS dev team or company is compliant with the expectations or standards for creating secure SaaS apps. This doesn't mean that there is no single security flaw, but it does mean that the company has done their due diligence.
Verification or certification of compliance inspires trust.
But then, there's the obvious question, who sets compliance standards or benchmarks? The answer, it depends.
An internal security team or external security consultants to the dev team can set the expectations of what the team should do to build secure SaaS apps. For example, API hardening, cloud infrastructure configuration, secure key storage, and more. Those documented expectations will be subsequently used by the internal security team or external consultants, using automation and/or manual inspection, to verify or improve the compliance of the dev team. In a DevOps environment, compliance verification must be highly automated to be effective.
Still, there's a limitation with the compliance we just described, because it's specific to one company. In sensitive industries, a third party - independent standards bodies, consortiums of top technical experts, or the government - will also create a company-agnostic compliance standard that lowers the barrier for most companies in that industry to do the right thing. This also makes it easy for anyone who understands the standard to verify the compliance of any particular company.
The Major Third-Party Compliance Standards for SaaS or Cloud Apps
Some standards become de-facto benchmarks by which the trustworthiness of software products are measured.
Here's a short overview of the main compliance standards that SaaS companies may need to comply with with.
PCI-DSS: The Payment Card Industry Data Security Standard is an industry-driven information security standard for any company or platform that handles credit card information.
HIPAA: The Heatlhcare Insurance Portability and Assurance act is a United States federal law places stringent security and privacy requirements on any system that processes the personal healthcare information of any U.S resident person.
GDPR: The General Data Protection Regulation is an European law that guides how personal information is collected or used in Europe, for every business that operates or has clients in there. It also has certain restrictions on how personal information is sent outside of the EU.
ISO-27001: An international standard for managing information security.
CCPA: The California Consumer Privacy Act is law that is very similar to GDPR, but applies to residents of the state of California in the United States.
SOC: Systems, Organizations, and Controls applies to organizations that provide information systems as a service to other organizations.
CCSS: CryptoCurrency Security Standard: Is a newer standard for any information systems that store or transact in cryptocurrency.
Some of the standards above have areas of overlap, some can or should be combined, and yet others may be used interchangably.
If you have any questions around SaaS security or compliance, please feel free to reach out so and let's chat!