As a company focused on helping cloud vendors establish trust with customers and prospects, we see a LOT of custom security questionnaires passing from clients to vendors and back again. Internally, we’ve also issued a lot of vendor security questionnaires to our vendors, and been on the receiving end of custom security questionnaires from our customers. There are a lot of questions that come up in almost every security review and RFP response:
- Do you have a SOC 2?
- How and where is data stored?
- Is data encrypted in transit?
- What is your data retention and disaster recovery policy?
- Can I see a list of your subprocessors?
We could go on, but you get the picture. If you're a SaaS company (or, really, any organization selling to mid-market and/or Enterprise companies), you’ve likely seen these questions asked during the customer security review process.
When responding to customer security questionnaires or crafting an RFP questionnaire response, it’s important to understand the why behind the question. What is the customer getting at? What does this question tell them about your security posture? How will a yes / no answer affect their business risk?
Below we’ve outlined 4 of the most common uncommon questions that we’ve seen come up in security reviews. You may not have seen these yet, but if and when you do, having an understanding of the “why” behind the question will help you craft the best answer to address your customers’ concerns and establish trust early on.
Question #1: "What is the RTO and RPO of this product?" *
What’s the point of this question?
As a customer, it’s always hard to learn from your vendor that, “if we are down, you are down.” Nonetheless, it’s an important question to ask. Companies outsource an increasing number of critical processes to cloud vendors. Especially when revenue generating and customer facing processes are outsourced, it is critical to understand the availability of these services.
How to go about answering this question:
This question can be hard to answer accurately as it’s a bit of an abstract question. When the recovery objective is 24 hours, but the rest of the internet is down and the dog won’t stop barking at the postal service, things can spiral out of control quickly. A good questionnaire response here doesn’t just give hours and minutes, but is specific about the upstream dependencies and specific scenarios you have prepared for and tested.
Recommended next steps:
Make a system diagram readily available that shows critical business continuity about your system such as regions, vendor dependencies and how backups are handled.
*if you aren’t familiar with RTO and RPO, here’s a good article that breaks down the definitions.
Question #2: "What percent of your internal systems use federated authentication (LDAP, SAML 2.0)?"
What’s the point of this question?
Trying a new SaaS tool usually only takes a few clicks, and sometimes doesn’t even require a credit card. Rolling a new SaaS tool out securely to all of your users is a whole different story. This security question helps customers understand how well you are controlling the sprawling set of tools you use to deliver your product or service. If a vendor (i.e., you) does not have a good grasp on this, it likely means that there is a higher risk of an account being breached.
How to go about answering this question:
With an up-to-date and accurate asset inventory, this question is as simple as dividing a few values in a spreadsheet. It’s okay if this number is not 100%, especially knowing that some vendors charge an arm and a leg for SSO (https://sso.tax)/. Context is key here: keep in mind the classification of the system. Your customer likely does not care if you use SSO for Twitter.
Recommended next steps:
As a part of vendor management activities, track which vendors provide a SaaS system for you, and maintain a specific record for each SaaS system outlining how authentication is handled.
Question #3: "What 4th parties store or process data used in this service?"
What’s the point of this question?
“Where is my data” is a hard question to answer. Disclosing sub-processors of sensitive data helps customers make better informed decisions. It is also important for end users or services to know where their personal data may end up. There is increasing scrutiny and regulatory pressure to be very transparent here.
How to go about answering this question:
The list of vendors that process data within your process (“subprocessors” is what they are called) should be extremely easy to find, and should outline the geographic location the processing happens. Adding in an overview of the processing and lining to the security/privacy overview for those vendors can also go a long way in building trust. A great example of a comprehensive subprocessor list can be found on Figma’s website.
Recommended next steps:
This list will likely change quite a bit as your business objectives change. Make it easy for your customer to subscribe to updates for the list, and set up repeatable processes for those updates before you are scrambling to build a notification system to meet contract requirements from a Fortune 500 customer.
Question #4: "If an attacker gained access to an individual developer's cloud credentials, what actions could that attacker perform, and how would you respond to the breach?"
What’s the point of this question?
I know what you're thinking: "If I had a nickel for every time...". But in all seriousness, this question can help to quickly assess if a vendor has their house in order. An accurate and defensible answer is a sign strong governance processes are in place at a vendor.
How to go about answering this question:
Robotically answering each of the 950 questions from the SIG Core — while it takes quite a long time — is not all that difficult, especially when the answer to many questions is “No, we don’t use AS/400”. The questions are so academic: “Yes we have a Risk Management Policy”, “No we don’t use contracted development services”, that it starts to feel like you are back in days of answering true/false questions during an exam for the latest certification.
This question about, however, really makes you think, and encourages you (as a vendor) to deliver a coherent story that likely sheds light on your overall information security approach, risks you have prepared for, and what a real world response would actually look like. Whereas many security questionnaire responses are just a “tick in the box”, questions that ask you to explain a theoretical scenario and your planned response can help the customer understand how robust your cloud security posture is. Here is a resource with other questions that help “cut to the chase”.
Recommended next steps:
Make it abundantly clear how you will contact your customers if there is a security incident that impacts you (and, therefore, them). Make it easy for your customers to report security incidents and questions to you, and proactively write up a response you make available to all customers when the next big supply chain attack happens.
The above questions are important to ask when evaluating a cloud vendor, and critical that you understand what your answer is / would be in the event you get asked this during a customer security review. Even better, preparing these ahead of time and putting them in a public-facing FAQ or Security Page can help you circumvent the questions from the start.
For a list of additional questions you should be asking (and/or be prepared to answer) in any vendor security review, download our free template of Commonly Asked Security Questions.
