Software as a Service (SaaS) has gone from the cutting edge to a core technology for many businesses. But given the wide scope of cloud services companies engage in under the umbrella of SaaS, it is also important to understand the attendant risks these services present. This article describes those risks as well as the best practices for controls available to managers.
No longer an emerging or potential technology, cloud computing is now an essential solution for many organizations. This technology alternative provides Software as a Service (SaaS) users with the flexibility to adapt to rapidly changing demand while providing managers with alternative financial solutions that facilitate introducing or enhancing service delivery strategies. The cost for these benefits may include the SaaS user compromising on how technology risks are addressed. Earlier articles (see the sidebar, Background Reading on Cloud Computing) have provided readers with cloud computing foundations and general risk management approaches for assessing cloud environments. This article provides readers with a more direct understanding of the SaaS-related cloud computing activities that they may engage in, and the resultant risks that require management’s attention to achieve the desired benefits and enterprise goals.
Non-technology department users (sometimes referred to as “end” or “business” users) are most likely to interface directly with a SaaS solution, as it frequently represents an application or data processing activity directly under the business user’s purview. SaaS services include e-mail and office tools (e.g., Office 365 or Google Workspace). Enterprise accounting and financial management software, such as SAP, NetSuite, and Oracle Financials, offers a SaaS delivery model, as do Intacct, Xero, and Quickbooks in the small and midsize business market. Other well-known software companies provide SaaS models that have become integral to enterprises, including Salesforce, Slack, ServiceNow, Github, and Workday. It is the authors’ experience that the larger SaaS user organizations that can afford to make the best use of these solutions also provide risk management oversight of these vendors.
Yet a significant benefit of SaaS contributes to heightened risk management concerns, specifically when the solution’s use falls outside the enterprise-wide purview, because SaaS solutions do not require the initial capital expenditure and oversight required by traditional software solutions. For example, an executive can determine what to buy and which technology tools to use, especially in a decentralized organization that shifts decision-making and supporting purchasing power away from central administration and control. With a manageable subscription cost that can circumvent the activities of technology steering committee and established policy limits on capital expenditures, the executive can introduce the technology with minimal interference from risk management and compliance officers. Unfortunately, the risk is not limited to spending; the greater exposure is the storage and processing of data by an unvetted or unmanaged SaaS vendor or service organization whose actions could negatively impact the SaaS user’s reputation and, in some cases, its survival.
SaaS Computing is an Enterprise-wide Risk
In many ways, SaaS computing represents the concern expressed in the Committee of Sponsoring Organization’s (COSO) Enterprise Risk Management framework of a risk “in one part of the entity but impact a different part. Consequently, management identifies and manages these entity-wide risks to sustain and improve performance” (COSO Enterprise Risk Management Executive Summary, p. 3). Risk managers must address the internal political challenge of business-line executives migrating applications from on-premises legacy applications to SaaS that may benefit their line of business (and bonuses). They do so to a third-party entity over which the organization may have little to no practical control or influence. Other business units may rely on the output generated by the business unit engaging the SaaS vendor or service organization with no assurance over the quality of information, nor the security, availability, and confidentiality of such information, using the SaaS user’s standards and expectations.
As a result, the integrity of the data processed and stored by the entity may raise risks in other business units. In a graduate course at Texas A&M Law School, Richard Kravitz describes the challenges facing enterprise risk managers trying to mitigate these threats especially when they result in “black swan” events:
Plane crashes, oil spills, the Lehman Brothers meltdown, Colonial Bank, the bankruptcies of insurance companies like Penn Treaty … the sale of illiquid insurance portfolios to third parties by MetLife… Three Mile Island, the Challenger and Fukushima all have something sadly in common from a risk management perspective. Underlying these entities are complex systems whose integration is never thoroughly tested or under one centralized risk management command—separate systems with separate subcontractors who may have implemented systems at different times resulting in cross-functional errors that somebody may overlook. Complex, disaggregated systems may have imperfect controls, lack redundancy, or cannot communicate across disciplines, departments, or systems—and, as a consequence, exponentially create catastrophic risk; these are the common elements that bind all of these failures. Risk managers don’t focus on catastrophic failure and how to mitigate it. Separate subcontractors usually develop these systems, and the result is that executives overlook cross-functional risk mitigation because there is no central oversight over all of these disaggregated, disconnected activities. Even the senior corporate executive does not understand the need for a centralized cross-functional risk management. (conversation with the authors)
With cloud computing in general, and SaaS in particular, executives face challenges similar to those described above. When one SaaS vendor or service organization acquires another, or two merge, it can take years to integrate the various software tools effectively. Unsophisticated SaaS users may believe that because two different solutions share the same corporate parent, integration and interface between the two solutions are possible without specific assurances related to the SaaS application. Technology integrators or contractors usually assume processing integrity when combining SaaS applications to justify minimizing time commitments. Many executives believe sales pitches from SaaS vendors that risk is minimized because the application runs on a well-known cloud infrastructure (e.g., AWS, Azure, Google Cloud).
For many, the use of SaaS has become an enterprise-wide issue with increasing attention from the risk management community. In its “2022 Cloud Security Survey Report,” the Cloud Security Alliance, a well-respected industry group, reported that “on average, organizations report using 102 applications. The maximum number of applications reported was over 5,000” (p. 3).
From an enterprise risk management (ERM) perspective, operations, reporting, and compliance are the three categories of enterprise objectives, and SaaS computing represents risks to each.
For example, an operational risk would be relying upon a SaaS vendor or service organization that offers business analytics services that generate information to aid in marketing investment decisions. If the data generated by the SaaS vendor or service organization is unreliable, the risk that a SaaS user may not achieve its sales goals would be increased. The control at the business to reduce this risk would be close and frequent monitoring of sales trends before and after implementing the SaaS vendor or service organization’s business analytics services. The results would be compared to management’s expectations; if expectations were not met, there should be an investigation as to “why.”
An example of a reporting risk would be a company that utilized a SaaS vendor or service organization to record, process, and report financial information. This SaaS user decided to terminate the contract with the SaaS vendor or service organization and move to a competitor. Upon informing the old SaaS vendor or service organization that they needed to migrate their data to a new vendor or service organization, the old vendor or service organization informed the user that according to the agreement, the old SaaS vendor or service organization, not the SaaS user, owned the data. If SaaS users wanted to migrate the data to another platform, they would have to buy it back from the old SaaS vendor or service organization. This situation dragged on as the SaaS user and the old SaaS vendor or service organization negotiated over the release of the data. When it came time for the annual financial audit, the SaaS user did not have access to their data, had no accounting records, and was unable to generate financial statements. That is why a recent American Bar Association article recommended that customers clearly state in their agreements that they own the data and always have access to it (“SaaS Agreements Key Contractual Provisions,” Business Law Today, H. Ward Classen, November 15, 2021, https://bit.ly/3SGWIBj).
Consider the example of an insurance company or financial institution that uses a SaaS vendor or service organization that uses artificial intelligence (AI) to make decisions such as whether to accept or deny an application for insurance or a loan. If the SaaS service organization’s vendor or service organization’s AI system is biased, whether intentionally or not, and certain protected classes are denied insurance or loans, the insurance company or financial institution could be in noncompliance with antidiscrimination laws, rules, and regulations and subject to fines, penalties, class action lawsuits, and reputational damage. The control to reduce the risk is for the insurance company or financial institution to perform their own analysis of the decisions to identify the presence or lack of bias.
SMEs Are Especially Vulnerable
Too often, small and medium-size entities (SME) focus on the benefits of what SaaS can provide but not on their risks, which must be understood and managed. Many SMEs rely on vendors to help facilitate SaaS solutions. Often, these efforts are focused on sales and implementation. Unfortunately for SMEs, they may not have access to talent or resources that could help them appropriately assess these vendors and oversee their performance once implementation occurs. They must deal with a scaled-down version of larger companies’ enterprise issues, but they must also attempt to do so with less sophisticated talent. For example, many SMEs may not appreciate the nuances of contract terms or the wordsmithing of controls represented by aggressive vendors.
Managing Cyber and Information Security Risk
Previous CPA Journal articles (see the sidebar, Background Reading on Cloud Computing) addressed the cyber-security implications of cloud computing. As one of the three primary models of cloud services, SaaS shares many of the cybersecurity threats applicable to all cloud services. One unique aspect of SaaS compared with the other cloud service models [e.g., Infrastructure as a Service (IaaS), Platform as a Service (PaaS)] is the involvement and ownership of the relationship in SaaS user organizations by a business executive rather than a technology executive.
Due to the nature of services provided, the technology executive is typically the primary executive responsible for IaaS and PaaS relationships. Technology professionals, many with at least some knowledge of cybersecurity or information security, support the executive in managing the relationship. In many cases, the business executive, rather than the technology executive, maintains the responsibilities for the relationship for the enterprise. Although cybersecurity specialists may be consulted at the business executive’s option, frequently they are not. Unfortunately, the cloud-shared responsibility model requires significant involvement for SaaS users for data classification, endpoint protection, identity/access management, application-level controls, and security architecture.
Although much of the literature has traditionally focused on cloud computing risks in general, rather than SaaS in particular, the increasing demand and use of SaaS is beginning to change this. Users access SaaS services through the Internet. Risk managers respond to this inherent risk by increasing attention to cybersecurity and information security matters. These considerations include protecting data at rest or in transit (usually through encryption), ensuring appropriate access controls, using log analysis applications, and deploying vulnerability scanners. Yet, according to the 2021 Thales Global Cloud Security Study, commissioned by Thales and conducted by 451 Research, “40% of organizations have experienced a cloud-based data breach in the past 12 months. Despite increasing cyber-attacks targeting data in the cloud, the vast majority (83%) of businesses are still failing to encrypt half of the sensitive data they store in the cloud, raising even greater concerns as to the impact cybercriminals can have” (https://bit.ly/3A6NzLd). Given the accountabilities for data discussed above, this statistic implies that data classification, endpoint protection, application-level controls, and security configuration may need stronger oversight from SaaS user executives.
Background Reading on Cloud Computing
“Managing the Impact of Cloud Computing—Perspectives on Vulnerabilities, ERM, and Audit Services,” by Meredith Stein, Vincent Campitelli, and Steven Mezzio, June 2020. The article looked at identifying cloud computing opportunities and operationalizing cloud activities. It also defined the stakeholders involved in the enterprise’s risk management strategy and shared responsibility model. The article provided advice on managing the disruption caused by the adoption of cloud computing and reducing risks facing cloud users. The article stressed the impact of cloud computing on ERM strategies and activities. Guidance for CPA firms and practitioners was also presented.
“Cloud Computing Friend or Foe?” by Joel Lanz, June/July 2021. The article provided a more technical review, describing the different cloud service delivery models and cybersecurity concerns and discussing the shared responsibility model used to help differentiate cloud vendor or service organization and client responsibilities. The article further discussed cybersecurity considerations for each of the cloud service delivery models. It also addressed regulatory and compliance cloud considerations.
According to the Cloud Security Alliance’s 2022 SaaS Security Survey Report (https://bit.ly/3bD7fwP), “many recent breaches and data leaks have been tied back to misconfigurations, causing it to be a top concern for many organizations. Most research related to misconfigurations has focused strictly on the IaaS layers and ignores the SaaS stack entirely.” The report further explains that this challenge results from the lack of technology expertise in implementing and maintaining these applications. Other challenges include variations in the assignment of responsibilities and accountabilities in the organizations surveyed.
The United Kingdom’s National Cyber Security Centre (NCSC) provides specific and practical guidance through its SaaS security guidance. The advice targets organizations of all sizes, including SMEs. Risk managers will find two unique features of the suggestions especially helpful. The first comprises a list of 11 criteria for assessing the security of the SaaS solution that the organization is considering (see the sidebar, NCSC and SaaS). The NCSC provides a brief representative question and description of the requirements to consider. In the second unique feature, the NCSC delivers the results of its assessment of its security criteria for 12 popular SaaS applications. Using this guidance, risk managers can jump-start their efforts for these popular applications and assess the risk for gaps identified in the solutions. Should the application not be one of the 12 prepared assessments, risk managers can use the generic 11 criteria to develop a due diligence checklist before contracting for the SaaS application.
Consider SOC Reports
System and Organization Controls (SOC) is a suite of services CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. User entities leverage the SOC reports issued by CPAs to enhance their marketing, governance, and internal control efforts. The SaaS user organization must consider the risks of two separate cloud relationships. The primary consideration is to review and consider the SOC report of the cloud vendor or service organization used. Depending on the circumstances, the SaaS user organization may determine that its vendor or service organization needs to perform a review and other oversight procedures over the SaaS subservice organizations; these services include IaaS and PaaS. Usually, but not always, the SaaS vendor or service organization will enter into and maintain that relationship, while the SaaS user might not appreciate that a subservice organization is involved. Alternatively, to communicate to SaaS users that their data is kept secure, available, and confidential, the SaaS vendor or service organization may state that the application is processed and data stored in an established cloud organization’s infrastructure. SaaS vendor or service organizations leverage those cloud organizations’ (IaaS or PaaS) SOC or ISO 27001 reports. Another challenge exists when a SaaS user uses a large cloud service organization vendor or service organization offering many services (e.g., hundreds), but offers one SOC report that covers only some of the services provided to its customers. This confusion could lead to SaaS users not correctly considering issues discussed in the SOC report as applicable to the services they use.
SaaS users should ensure that they understand how the scope and applicability of the SaaS subservice organization’s vendor or service organization’s SOC report apply to their situation. Specifically, they should be able to identify the name of the services they use in the SOC report. They should also determine whether the carve-out method was used in the SOC report and understand its implications. The carve-outs can help identify the sub-service organizations relied upon by the SaaS organization vendor or service organization. SaaS users should also review the complementary user entity control (CUEC) and complementary subservice organization control (CSOC) considerations presented in the SOC report to assess the use, appropriate implementation, and operating effectiveness of critical CUECs and CSOCs. If the SOC report identifies the use of a subservice organization, SaaS users should inquire about the SaaS organization’s vendor management oversight practices.
SaaS users should also consider whether the SOC report provided considers applicable regulatory and compliance issues. These issues have been discussed in prior articles (see the sidebar).
Classic Business Issues Also Need Attention
Moving to the cloud creates new “twists” on classic technology-related governance controls. Fortunately, organizations can overcome these challenges by managing three common misconceptions related to SaaS: acquisition and implementation, maintaining inventories, and managing contracts. The Exhibit describes unique SaaS issues that may impact an organization and the considerations for resolving them.
Overcoming Classic Technology-Related Governance Controls
Opportunities Come with Risks
SaaS applications provide tremendous opportunities for SaaS users. They offer the ability to enhance service delivery and significantly ease entry into markets; they also deliver efficiencies and strengthen an entity’s ability to achieve organizational goals. Previous articles have also addressed the impact and opportunities for firms and their practitioners; yet, their impact can influence the entire organization, from data reliability to reputation in the marketplace. Bringing enterprise risk management (ERM) practices into the equation enables the risk managers of SaaS users to find the balance between the entrepreneurial desires of managers to do what it takes to achieve their objectives, yet help protect organizational reputation and stakeholder relationships. Effective governance enables managers to achieve their goals cost-effectively within the constraints of expected behavior while meeting the necessity to protect assets.
NCSC and SaaS
NCSC SaaS Criteria
- Data-in-transit protection between clients and service
- Industry good practice external certificate configuration
- Data-in-transit protection between microservices
- Industry good practice internal certificate configuration
- API authentication and protection
- Privilege separation
- Multifactor authentication
- Logging and event collection
- Availability of logs
- Clear incident response to patching and security issues
- Clear and transparent details on a product’s security features
Popular SaaS Applications for which NCSC Provides an Assessment
- G Suite
- Office 365