CIO
...Budget practices and economics also play a role in limiting SaaS testing. Glenn Weinstein, co-founder and CIO at Appirio, a cloud services provider based in San Francisco, says IT organizations may lack a formal budget line item for SaaS testing and instead rely on the vendor to provide security. "It's still not top of mind in the budgeting process. You don't see it broken out as a separate line of the security budget."
There Are No Dumb Cloud Security Questions
Just because an enterprise lacks a formal SaaS testing budget doesn't mean it isn't asking security questions, Weinstein notes. He's seen IT security teams invest significant time with cloud vendors as part of the RFP process.
As a cloud service brokerage, Weinstein says Appirio fields client security questions. The company defers some inquires to the SaaS vendor involved in a particular customer engagement-questions regarding infrastructure, data centers and the layers of security around a given application, for example.
Appirio, meanwhile, directly addresses questions related to its own security process, Weinstein notes. The company, or its business partners, may need to access a SaaS application on the customer's behalf. This means clients are interested in how Appirio protects data from internal breaches.
Specifically, customers may ask how the company handles data in transit, or in the development environment, or when it is passed among consulting partners, Weinstein notes, adding that customers continue to grapple with what to ask of their cloud providers. "We are in the very early days," he says, "and the types of questions that customers ask about the cloud...will continue to change."
If anything, Weinstein would like to see more probing questions from customers. "We still see a lot of questions aimed at considerations that are pretty well shored up at this point."
An RFP might ask cloud vendors about penetration testing or distributed denial of service vulnerability, but Weinstein says the top enterprise providers have those issues well in hand. He'd prefer to see RFPs ask about configuration security, authentication options, and the provider's ability to control access to data among employees and third parties. He suggests that those questions more closely address the security surrounding cloud applications....
Read more
Appirio in the News
Appirio at a glance
Introduction to Appirio
pr@appirio.com
