From the CSO's desk: Hidden SaaS implementation
From the CSO's desk: Hidden SaaS implementation

Once upon a time, HR decided to test a new software-as-a-service (SaaS) solution for collecting résumés, collecting information for background checks and managing the process of onboarding a new employee.

During the process, the SaaS vendor salespeople stressed to the HR personnel how easy the system was to use, emphasizing the streamlined setup and configuration that can cut deployment time. HR management began processing new employees as part of the test.

As it happens, this new "test" application had effectively entered production and, in the course of testing the new service, personal data elements were entered prior to each individual being hired. After a hiring decision, additional information was added.

Imagine, if you will, that the salesperson at the SaaS vendor didn't oversell the ease of use. The new application truly is easy to setup and use — so easy that HR management didn't even bother the overtaxed IT organization during the entire process and instead appointed one of the HR administrative assistants to manage the application and setup user accounts.

And this is where it can get scary. Will the assistant configure application security controls in accordance with IT and information security policies? Will the test go into production without IT or information security review? Will users end up with shared accounts? Will a design review happen? How often will passwords expire?

Salespeople at SaaS organizations are trained to sell directly to line of business management and circumvent traditional purchasing paths for technology applications. The managers outside of IT don't see contracting directly and excluding IT as a problem — they may even think they are helping IT by reducing their workload. It is hard to imagine that senior management at a large company would choose to circumvent IT and information security controls and allow HR, sales, marketing or finance to buy a server, set it up, and actively run critical enterprise applications in production.

However, companies are doing exactly that when choosing a SaaS solution. The result can be a technology solution that on the surface performs the required tasks of the business users, but with far greater risk of a breach of confidential data.

This isn't a tough problem to solve, once you are aware that the problem exists. The companies that don't solve this problem could be the ones you read about in publications such as this one as the next TJX. It is important for you to take action to prevent this from happening at your company right now before Social Security numbers or credit card numbers of your customers end up floating around the internet.

Eric Svetcov is information security director at a major SaaS company.