Security is a top concern for CIOs deploying subscription payment applications in the cloud. This guide highlights the key requirements that CIOs and CISOs should focus on in order to ensure that their cloud providers comply with industry security best practices and compliance standards. All CIOs recognize the importance of security to both their customers and their own operations.

As companies deploy SaaS applications such as a cloud billing platform to accelerate business time to value, enable greater IT agility and lower overall costs, ensuring trust in their SaaS provider through security certification and practices remains a top concern for CIOs. To be clear, confidence in your cloud provider is only one piece of the big security picture.

According to Gartner, “Most organizations are focusing on the wrong risks, concentrating on a relatively small potential for SaaS security failure, and putting too little emphasis on management of their own users and data.” A survey at Gartner’s Data Center Conference in 2013 shows that this overweighting of risk analysis towards SaaS providers stems from two primary concerns: 1. lack of visibility into who’s accessing your data and applications and 2. lack of confidence in the the cloud provider’s security capabilities.

Further, Gartner recommends that “Security teams, SaaS decision makers and IT procurement staff should ensure that business goals for confidentiality, integrity and availability are fully specified and appropriately addressed before using SaaS.”

In other words, recurring revenue businesses need to focus on getting their own internal processes and controls in order. We will probe more deeply into these best practices around security controls and processes in future Academy guides.

Keeping Your Cloud Secure - a CIO’s Favorite Topic

Cloud security is a top concern for CIOs deploying subscription payment applications in the cloud. This guide highlights the key requirements that CIOs and CISOs should focus on in order to ensure that their cloud providers comply with industry security best practices and compliance standards. All CIOs recognize the importance of security to both their customers and their own operations.

As companies deploy SaaS applications such as a cloud billing platform to accelerate business time to value, enable greater IT agility and lower overall costs, ensuring trust in their SaaS provider through security certification and practices remains a top concern for CIOs. To be clear, confidence in your cloud provider is only one piece of the big cloud security picture.

“Most organizations are focusing on the wrong risks, concentrating on a relatively small potential for SaaS security failure, and putting too little emphasis on management of their own users and data.”

Gartner, 2013

A survey at Gartner’s Data Center Conference in 2013 shows that this overweighting of risk analysis towards SaaS providers stems from two primary concerns: 1. lack of visibility into who’s accessing your data and applications and 2. lack of confidence in the the cloud provider’s security capabilities.

Further, Gartner recommends that “Security teams, SaaS decision makers and IT procurement staff should ensure that business goals for confidentiality, integrity and availability are fully specified and appropriately addressed before using SaaS.”

In other words, recurring revenue businesses need to focus on getting their own internal processes and controls in order. We will probe more deeply into these best practices around security controls and processes in future Academy guides.

PHYSICAL SECURITY

Key points:

  • Fortifying your physical data centers
  • Multiple control layers
  • Access authentication and 7×24 monitoring

Best security practice always starts with fortifying your physical datacenter. SaaS application providers should host their infrastructure within world-class datacenters that implement best physical security practices and maintain a datacenter environment and network that is highly available.

World-class datacenters utilize multiple control layers, from the physical perimeter, to facility controls, computer room controls that ensure access authentication and 7×24 monitoring and controlled access to server hardware. That way, any breach of a single layer will not create vulnerability in the whole system.

Zuora, for example uses two data centers that follow these physical security practices and host notable clients such as the US National Security Agency and Facebook.

NETWORK SECURITY

Key points:

  • Production environment completely separate
  • Firewall and network zone segregation
  • Two-factor authentication remote access
  • Host based intrusion detection

The next level of security is around your network environment, which constitutes the physical and virtual network that your applications and data reside on. Best practice involves physical and logical separation of the production environment from all other environments.

The production network is protected by multiple firewalls and monitoring tools that implement your network security architecture design, and help you enforce security policies and controls within the network. The production network treats all other networks outside of itself as untrust, making it effectively an enclave. Two-factor authentication is required for remote access into the network for authorized personnel only.

Zuora, for example, has built our systems and applications on a foundation of 6 network zones that compartmentalize system and application function to areas based on purpose and level of security protection required. These zones have a policy of untrust to all other zones. Traffic is denied unless purposely allowed based on approved business needs.

Next, individual server hosts should be secured using host based intrusion detection (HIDS). HIDS enables you to actively prevent malicious or anomalous activity on the host system by installing an agent on each local host to monitor and report on the system configuration and application activity.

APPLICATION SECURITY

Key points:

  • HTTPS for all incoming/outgoing data transfer
  • Data encryption for credit card payment information
  • Secure application design, development and testing
  • Application firewall for an extra layer of perimeter protection

The third level of security is around the application code and customer data that resides within, especially involving PII (personally identifiable information, like address and social security numbers) and payment data. Your SaaS provider should use HTTPS encryption for all data going inbound and outbound from the production payment processing application network.

Government entities, banks, and financial institutions such as Visa and MasterCard also use hardware encryption devices such as SafeNet to securely encrypt credit card data and protect highly sensitive data such as private keys.

For subscription billing and payments, credit card and sensitive data should be encrypted using AES-256 bit encryption executed on a SafeNet FIPS-certified hardware security module. These hardware security module devices help your SaaS provider protect keys used for encryption and decryption of data, and allow those cryptographic operations to occur within a secure tamper-resistant physical application boundary. These SafeNet systems are managed by authorized security engineers and security officers entrusted with those responsibilities.

Your SaaS application should also utilize secure application design, development and testing.  Zuora, for example, aligns with industry standards such as OWASP and work hard to ensure our applications are developed and tested free of high-risk vulnerabilities.

Lastly, it’s recommended that you use an application firewall. Since all traffic is encrypted HTTPS, traditional firewalls cannot inspect data packets so an application firewall is needed. An application firewall looks for application specific security vulnerabilities, such as a SQL injection or cross-site scripting, where a user can inject a script and capture your cookies.

VULNERABILITY MANAGEMENT

Key points:

  • Internal and external network scans
  • Security application scans
  • Web application penetration testing
  • Keep critical patches up-to-date

It is also important to be proactive when it comes to managing vulnerabilities. At a general network level, your SaaS provider should regularly scan their internal and external network using a scan appliance and testing services.

It is best practice to review and test for security vulnerabilities before they are rolled out. New vulnerabilities occasionally arise on operating systems such as Linux and software applications such as web servers and network devices. Newly identified vulnerabilities should trigger a workflow within your SaaS provider’s internal processes to have each unique issue tracked and remediated in a timely manner.

Your provider should also conduct continuous scans of the applications in the test environment before code is moved to production. Their vulnerability scanning tools look for a suite of web application vulnerabilities ranging from SQL injection and cross-site scripting to denial of web application service. Your provider should log each web application issue detected by their scanning tools and internal testing team and track each one until closure.

In Zuora’s case, Web application security is a big focus. Zuora utilizes a security dashboard to ensure visibility to any issues.

On a proactive level, your provider should leverage 3rd party testing and monitor communication from these sources for vulnerabilities on a regular basis.  In addition to continuous scanning, Zuora also leverage third party penetration testing to conduct thorough tests on our application on a regular basis.

As they are found relevant to our platform, we conduct a risk assessment to identify the level of risk and impact.  From there, the issue is given priority and is managed toward closure in a time frame commensurate with the level of risk. On a regular cadence, we review and prioritize critical patches to be installed into our system.

CERTIFICATION STANDARDS

  • Payment Card Industry (PCI)
  • SSAE16 Type II
  • TRUSTe
  • US-EU Safe Harbor (self certification)
  • Health Insurance Portability and Accountability Act (HIPAA)

A key part of ensuring trust is maintaining compliance with standard certifications. The first one of these compliance standards is PCI, or Payment Card Industry.  Any entity, merchant or service provider, accepting, processing, transmitting, or storing cardholder data are subject to applicable requirements within the PCI standard.

PCI has 12 main requirements, and supported by close to 300 detailed and very specific requirements. You may have already been familiar with these requirements in your business.   e.g. Zuora is compliant as a PCI Level 1 Service Provider, and has been for four years now.   We will continue to maintain PCI compliance on an annual basis.

SSAE16 is the most commonly used compliance attestation standard and has replaced the longstanding SAS70 standard. Unlike PCI, which is a point-in-time audit, SSAE16 Type II is an audit looking back.

Just as with PCI, Zuora has maintained SAS70/SSAE16 Type II compliance for the last four years dating back to 2009.  On an annual basis, third party auditors validate that nine key controls critical to the success of the business are in place and effective for the entirety of the control period.  These controls include among them Organization and Administration, Physical Access Controls, Logical Access Controls, System Availability and Performance, Infrastructure Systems Development, Application Software Development, Customer Implementation and Setup, Data Classification, Integration, and Exchange, and System Backup and Recovery.

Zuora’s primary datacenter, Switch SuperNAP, in Las Vegas, NV undergoes PCI and SSAE16 audits annually.  Similarly, Zuora’s backup datacenter, CoreSite, is audited on SSAE16 annually.

Also important are maintaining a privacy policy and practicing compliance with applicable privacy laws for countries in which your customers and customer’s customers transact. To that end, Zuora enlists the services of TRUSTe as an independent third party to review and provide feedback to update our privacy policy.

Zuora does this to keep up with changing privacy rules and regulations in the geographic areas we support. Zuora also annually complies with the European Directive US-EU Safe Harbor framework for privacy.

Lastly for companies that deal with healthcare providers and data is compliance around the Health Insurance Portability and Accountability Act (HIPAA). There are two types of HIPAA compliance standards: one for covered entities and one forbusiness associates. According to the Department of Health and Human Services, “Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.”

Whereas, a business associate, such as Zuora, is someone who helps a covered entity carry out its healthcare activites and functions. Since Zuora has customers in the healthcare industry that are covered entities, we have done a business associate audit and signed a Business Associate Agreement (BAA), that is a checklist of requirements mandated by HIPAA.

HOW TO REDUCE PCI COMPLIANCE SCOPE

Key points:

  • Each entity is responsible for how it uses data
  • Limit where PCI data is stored, processed, transmitted
  • Limit scope of Cardholder Data Environment (CDE)
  • Leverage Zuora Hosted Payment Method (HPM)
  • Segment cardholder data network from other networks
  • Use effective encryption
  • Implement strong key management practices

Every entity, merchant or service provider is ultimately responsible for how it uses data and data in its possession.

One of the questions that Zuora often gets from our customers is “how do I reduce or minimize PCI scope?” In other words, how do you make the PCI compliance process as efficient as possible?

There are a number of best practices, but by far the best way is to not store or touch credit card data if you don’t have to. In such an approach, because cardholder data does not pass through the merchant’s systems, a merchant can effectively remove certain systems from PCI scope.  It doesn’t mean that the merchants and companies does not have to practice good security in the infrastructure—they still do, but certainly from a PCI audit perspective, it can reduce your PCI scope and help practice good security by only storing or transmitting data only if you have to.

Zuora, for example, offers a product called the Hosted Payment Method which can be embedded in an iFrame at your website. When implemented as intended, credit card data will be encrypted and transmitted directly to Zuora’s servers from the end customer. This limits the path that payment related data can take through your systems.

If your systems do have to touch credit card data, then of course PCI requirements are still applicable depending on how you use data in the environment. One way to limit scope if you do have credit card data traversing your infrastructure is to implement adequate network and access segregation of systems processing, storing, or transmitting data.  Designing a network that isolates these systems and applications, and using enforcement points such as firewalls to segregate systems that process sensitive data

Last but certainly not least, using effective encryption of data at rest and in transit is a requirement.  Encryption keys can be used for many purposes, whether it is to encrypt SSL connections or encrypting sensitive data.  When using keys to encrypt data, keeping keys such as private keys protected on servers and putting together a key management policy that takes into account how keys are used, rotated, managed, and secured is vital to protecting the data that does need to be stored or transmitted through merchant systems.

SECURITY PROGRAM GOVERNANCE

An important part of building a healthy and proactive security focus in your business is to implement governance to your security processes. You can start by setting up a security governing body that is comprised of business and technical leaders. This group should have a clear charter – e.g. “to provide executive governance to your company’s security program.”

The committee should meet regularly, review and address high-risk security issues of the business. Here’s an example agenda:

  • Address high risk security issues to the business
  • Address customer security concerns
  • Review and approve security roadmap and changes to the security program
  • Review security incident / breaches

At Zuora, we’ve implemented an executive security governance committee that’s comprised of key members of our executive staff and meets regularly to proactively address these issues.

RISKS OF UNPLANNED DOWNTIME

Finally, we’d be remiss if we didn’t touch on the risks of losing data through unplanned downtime. While technically not a security risk per se, unplanned downtime can result in data loss that impacts your business and your customers. SaaS providers live and breath this daily, and are focused on minimizing this risk as much as possible.

“Most SaaS offerings include fault tolerance, and uptime has proven better than what most organizations can maintain internally. Temporary downtime has not become a significant area of SaaS risk, but buyers should ensure that provider contracts include the level of uptime they require, and should monitor SLA compliance.”

Gartner

Learn more about mitigating unplanned downtime risks in our guide on delivering high performance, availability and scalability.

Keep Learning

What ASC 606 means for revenue recognition
Understanding material weakness in internal control for finance
SaaS pricing models: A comprehensive monetization guide
An overview of payment gateways