We help IT Professionals succeed at work.

Cyber Governance of a Cloud SaaS

High Priority
Last Modified: 2020-03-05
a leading 1-ERP cloud provider (one of those 3 like SAP, Oracle, MS)
has replied to us that they can't share the hardenings that they have
in place for their OS;  neither would they sign on the hardening
checklist as well as share the penetration test report.

What's typically the way from a customer's Cyber Governance that
we can do?  Ask for SOC2 report or which report which would have
certified that they have performed the required (CIS) hardening &
penetration testings?

Or we can still demand to sight the hardening settings & pentest
reports?  We are using their SaaS
Watch Question

Exec Consultant
Distinguished Expert 2019

You can consider governance report or certification proof like STAR certification, SOC 2 type 2 or SOC 3 minimally. 

For example for STAR, you can check out the below.

STAR registry as a trusted source of information on the security and privacy posture of CSPs. It enforces accountability and lets you build a coherent GRC program.

If your provider is not listed on the STAR registry, please submit a request to have them verified using our ready-made editable template that you can revise and e-mail directly to your provider(s).


as for SOC report, the type 2 are the auditor report so that would be the most idea to see any lapse or area of improvement in the trusted services. Of course they may not shared that since they would not be obliged unless you have existing contractual agreement. So SOC 3 is a high level can still be asked though it may not be deep dive and just to give sense they are doing what they should be doing..

Maybe another means is through CASB provider like netskope which provides confidence badge for SaaS that undergo the review. If the SaaS has gone through it may be good, alternatively can talk to Netskope to advise how to go about getting report of SaaS independently and transparently.


Otherwise not much you can push over since it is the service under their control. Probably alternative competitors may give more confidence without having to be so protective to even the report sharing, at most be prepared to sign any NDA before receiving.


Have come across a few cases that auditors wanted to
do a site visit to the CSP.  Is it reasonable that we put in
our contract with CSP that in the event auditors requested,
the CSP or the SaaS provider has to allow the auditors to
interview them, sight their docs (pentest, hardenings, VA
& their change process).

noticed these are being mentioned in Spore's Cyber
Code of Practice that owners of a CII must impose on
their IT providers (not SaaS specifically but turnkey,
apps vendors)


From the SaaS vendor (who also operates as CSP):
"we employ a standardized system hardening practices across xxx Cloud devices: however we can't share this due
 to security/confidentiality reasons. This includes restricting protocol access, removing or disabling unnecessary software and services, removing unnecessary user accounts, patch management, and logging."

Have also come across a vendor that hosts services for banks who
declined to show auditors who go onsite to view their pentest report,
citing confidentiality/security reasons


Btw when can we use OSPAR (Outsourced Service
Provider ...  Report) as proxy of actually viewing or
sighting  which artefacts (VA or pentest or ?)?
btanExec Consultant
Distinguished Expert 2019

Yes you can enforce via contractual means and that is expected when going to the cloud. For SaaS unlikely they will allow you to PT as they are having other tenants and have to answer if things goes wrong. They will not take chances. Showing the report is reasonable and if they are even willing to demonstrate the confidence based on certification, I suggest you think otherwise. I reiterate it is reasonable and customer prerogative to ask for assurance and if they can show verifiable proof even by other customer feedback that would still show some diligence and care. Case studies and customer reference can still helps but you need concrete independent assessment. 

madunixExecutive IT Director, MVE
Most Valuable Expert 2019

You will not be able to audit Microsoft/Oracle/SAP.  You can find details on how they are compliant to the CSA control matrix. For example; If you host the application on cloud services such as AWS, Azure, or Google, the cloud platform provider will have requirements that you must meet. If you use a Software-as-a-Service (SAAS) e-commerce platform, various PCI DSS compliance requirements will be enforced through the the platform. However, you will also need to ensure that your application adheres to PCI DSS requirements not constrained by the platform.