Simplifying SaaS security


Solidifying customer confidence in security due diligence

If you’re a B2B business looking to or already supplying to large organisations, you will probably have noticed an uptick in the number of questions and the “proof” of information security controls asked of you for systems that host business critical and customer sensitive data.

These are not difficult questions to answer but can be very  time consuming. However, your reputation may be on the line over time if you fail to provide proof to your customers that internal information security management systems (ISMS) you said you have are actually enforced. 

On the flip side, if you are able to provide assurances that your ISMS policies are being enforced and can be independently verified, you will solidify customer confidence and have much greater appeal to win business than your competitors who don’t. 

What is normally asked in procurement security due diligence by large customers?

Many require third-party vendors to have some or all of the following certifications which are relevant to the services being provided, e.g. PCI Certification, ISO 27001, SOC 2 Type II, penetration testing results. 

What is the PROOF asked of you?

  • PCI Certification - Proof of internal controls for handling credit card information 

  • ISO 27001 - Proof of internal information security management system (ISMS) controls

  • SOC 2 Type II - Proof that ISMS controls are operating as intended

  • Penetration test - Proof that software and systems developed have been robustly tested for software vulnerabilities.

Certifications are one thing, but providing proof of systematic testing and compliance adds to the reputation of the vendors. Almost all certifications have detailed requirements in the relevant standard and require a third-party auditor:

  • to assess compliance against the applicable standard,

  • prepare a detailed report of any weaknesses or deficiencies and then,

  • issue a certificate of compliance once remediation work is completed.

How to best provide this proof without breaking your bank and diverting resources to time consuming audit and report generation? 

The answer is three-fold:

  1. Independent: carried out by a trusted third-party

  2. Continuous Verification: not just a one-time check but continuous audit based on real-time data

  3. On-demand Report Generation: reporting is readily available any time.

How can Detexian help?

Detexian provides independent, continuous verification of security controls for critical SaaS applications for which reports can be generated on demand via its SaaS Security Posture Management solution.

It is a single pane of glass across Office 365, G Suite, Atlassian, Salesforce, and other platforms. It detects critical user misconfigurations, audits SaaS permissions and more. With Detexian, regulatory compliance is made easy. You can generate audit reports to demonstrate evidence of control effectiveness over time that your auditors and regulators want.

Check out LAB Group Case Study on our webpage.  Many of LAB Group’s prospective customers are large financial institutions who follow stringent vendor security assessment processes. Prospective Customer security teams seek to verify security control effectiveness and want assurances that ISMS policies are being enforced. 

Secure what you can't see in the cloud
710 Collins Street
Melbourne VIC 3008
9848 Mercy Rd #2
San Diego 92129

Get the latest information about SaaS security misconfigurations

Copyright Detexian 2021 All Rights ReservedTerms & ConditionsPrivacy Policy