In the world of Software-as-a-Service, few things are as important as security. Because SaaS vendors move and store information away from the customer’s premises, customers want to be sure that the SaaS vendors they choose are taking the right steps to secure their data at all times. The issue becomes even more critical as more and more companies move beyond using SaaS only for relatively limited business tasks to relying on the cloud for basic IT functionality.
Led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders, the CSA works to establish and promote best practices and education for security assurance in the cloud computing industry. The not-for-profit organization is an acknowledged leader in sharing security advances among cloud service providers and easing the process of evaluating security for business consumers of cloud services. (You can follow the CSA on Twitter @cloudsa.)
We’re proud to say that we’ve joined the CSA. As an application performance management (APM) provider that delivers a pure SaaS solution—and a major user of SaaS products in our own business—we want to do everything we can to promote industry transparency and customer visibility into SaaS security practices.
The CSA’s Security, Trust & Assurance Registry (STAR) documents the security controls provided by various cloud computing offerings, helping users assess the security of current or potential cloud providers. Based on a multilayered structure–self assessment, certification, and continuous monitoring self defined by the Open Certification Framework Working Group–STAR helps SaaS vendors create in-depth documentation to speed customer security teams’ review of vendors’ security practices. The CSA’s STAR report that documents New Relic’s network and application security controls can be downloaded here.
New Relic and the CSA
“Joining the CSA gives the type of transparency that instills customer confidence and, at the same time, builds on best practices and standards for others to follow,” explains Shaun Gordon, New Relic’s chief information security officer.
Of course, CSA membership is only part of New Relic’s comprehensive approach to security. “We aim to set a high bar for the security of our customers’ data,” Shaun says. “Not only is New Relic hosted in a secure tier 3 SSAE16 certified data center, but for it has also undergone and completed a rigorous and comprehensive SOC 2 Type II audit for three consecutive years.” The SOC 2 audit is an industry standard set by American Institute of CPAs (AICPA) to evaluate the systems relevant to security and availability.
“Customers have reason to be concerned how their data is being handled through cloud providers,” agrees Jim Reavis, CEO of the Cloud Security Alliance. “Shaun Gordon and his team have adopted mature security practices when compared to today’s cloud providers. New Relic’s expertise in securely supporting hundreds of thousands of users with its real-time software analytics solution is a welcome addition to the CSA community.”
New Relic and security
One important distinction in New Relics approach to SaaS security is that we don’t just comply with industry standards for the security of our data center, we also offer security measures for our customers’ data as it crosses the network. In addition, New Relic employs monitoring using both internal and third-party services to perform security scanning of both the network and applications. New Relic offers service-configuration features that allow for customer compliance in regulated environments such as PCI, HIPAA or SOX. And we offer high security Enterprise Mode settings that configure data collection settings to help prevent employees from accidently enabling the transmission of sensitive data.
For even more insight into SaaS security, check out the CSA’s Consensus Assessments Initiative Questionnaire, a spreadsheet with hundreds of specific “yes or no” questions that you can tailor to suit your organization’s unique security requirements.