Are you wondering what technical controls need to be in place to comply with standards such as ISO 27001, SOC 2, and legislation like the Digital Operational Resilience Act (DORA)?
These standards and regulations are risk-based, meaning they require organisations to implement technical controls tailored to their specific risk profile. However, there are common cybersecurity and information security controls that most SaaS companies are expected to have in place due to the similar risks they face. Below is a list of essential services and controls typically required to meet compliance and ensure the security of your SaaS environment.
1. VPN Access
- Description: Secure VPN access to your cloud environment should be restricted to necessary members of the engineering or development teams.
- Best Practices: Implement the principle of least privilege (PoLP), ensuring access to resources, applications, and data is limited to what is required to perform tasks.
2. DDoS Protection
- Description: Protect against Distributed Denial of Service (DDoS) attacks to maintain service availability.
- Example: Enable DDoS protection, such as AWS Shield or similar tools, to safeguard your platform against traffic overload attacks.
3. Web Application Firewall (WAF)
- Description: A WAF protects your web applications by filtering and monitoring HTTP traffic to prevent common web exploits and attacks.
- Example: Tools like AWS WAF help defend against SQL injection, cross-site scripting (XSS), and other web application vulnerabilities.
4. Intrusion Detection/Prevention Systems (IDS/IDPS)
- Description: Monitor your network for malicious activity or policy violations, and in some cases, prevent attacks before they cause damage.
- Example: Deploy solutions like AWS GuardDuty or third-party IDS/IDPS services to detect suspicious behaviour in real time.
5. Threat Detection and Monitoring
- Description: Continuously monitor your infrastructure for potential security threats, generating alerts and logs for investigation.
- Example: Use cloud-native services like AWS GuardDuty or other monitoring tools to automatically detect and alert on suspicious activity.
6. Vulnerability Scanning
- Description: Perform continuous vulnerability scanning to identify and remediate security weaknesses in your infrastructure.
- Internal Scanning: Services like AWS Inspector scan internal systems for vulnerabilities.
- External Scanning: External vulnerability scans (performed by third-party services) are also expected to ensure comprehensive protection against potential risks from external sources.
7. Data Encryption at Rest
- Description: All confidential or sensitive data should be encrypted at rest to prevent unauthorised access to stored information.
- Best Practices: Use strong encryption standards (e.g., AES-256) and ensure encryption is applied to all critical data, especially personally identifiable information (PII) and financial data.
8. Key Management
- Description: Manage encryption keys securely to maintain control over encrypted data.
- Example: Use tools like AWS Key Management Service (KMS) to automate key rotation, storage, and access. Auditors and clients will expect a well-defined process for managing keys and protecting them from misuse.
9. Backup Services
- Description: Implement a robust backup strategy to ensure data is recoverable in case of system failures, attacks, or disasters.
- Best Practices: Backup strategies should include failover capabilities, regional redundancy, and off-site or offline backups. The appropriate level of backup will depend on your risk profile and business requirements.
10. Source Code Management (SCM)
- Description: Source code should be securely stored in a source code management system (e.g., GitHub, GitLab) with access controls in place.
- Best Practices: Ensure code repositories are backed up independently, as not all SCM platforms provide native backup services.
11. Open Source Code Analysis
- Description: Open source code introduces additional risks. DORA explicitly requires the analysis of open-source software to manage associated risks.
- Best Practices: Use automated tools (e.g., Snyk, Sonatype Nexus) to scan and analyse open source components for vulnerabilities and ensure compliance with open source usage policies.
Additional Considerations
While the above list highlights essential controls for most SaaS platforms, it’s important to note that not all controls are universally required. The exact set of controls your company needs will depend on your specific risk assessment, business needs, and regulatory obligations. ISO 27001, SOC 2, and DORA follow a risk-based approach, so your implementation of these controls should be based on the unique risks your organisation faces.
Conclusion
This guide provides an overview of the typical controls and services SaaS companies need to implement to meet industry standards and legislative requirements. Always ensure your controls are customised to your specific risk environment, and regularly review and update your compliance posture to stay aligned with evolving risks and regulations.