Webinar Q&A: Security and Compliance Best Practices for SaaS Companies

Earlier this week, GigaOm Research, CloudPassage and Citrix Systems participated in a lively panel discussion webinar on “Security and Compliance Best Practices for SaaS Companies”. (If you’d like to see the full on-demand webcast, you can view it here.)

As promised, we have created a blog post to share the answers to some of the questions that we were unable to address during the webinar. Should you have any additional questions, please do not hesitate to contact us.

Q: Security vs. Privacy – how are companies distinguishing that and how does CloudPassage handle that? In particular mobile device security and interaction with Cloud provider (hybrid cloud).

Securing your cloud server instances using file integrity monitoring, dynamic firewalls, multi-factor authentication, vulnerability scanning, and configuration management will help you address a great number of security, compliance, and stakeholder privacy concerns by providing continuous monitoring of sensitive files, directories, and server and application access.

From a mobile security standpoint, CloudPassage Halo can validate that the proper security controls are monitoring the server, application stack, and applications that mobile users are connecting to. The security of the mobile devices themselves, however, requires orchestration that many other technology companies are currently investigating utilizing mobile device management technology and mobile security access products.

Q: Are there hardware security infrastructure in addition to Software?

Nearly all cloud service providers deploy technical controls to protect the cloud infrastructure. Unfortunately, the configuration and policy enforcement of said devices are typically beyond the control of the end customer. For example, just because Cloud Provider ‘A’ boasts network protection for its infrastructure by utilizing 30 firewalls, doesn’t mean that you have access to push your own custom policies to them.

CloudPassage Halo consolidates the security of your public, private, and hybrid cloud instances, in addition to virtualized guests and bare-metal servers, using a SaaS portal that allows you to define the security of your instances – without having to rely on the network-based technical controls of the provider.

Results of Quick Poll #1

Security and Compliance Best Practices for SaaS Companies

Q: Assume I work with a Cloud Provider say AWS, do you bundle your service along with AWS pay-as-you-go model or you bill separately. How does billing occur and is it automatic and what are pricing model based on?

CloudPassage is a separate service from AWS so you will receive a separate bill. Our billing model is very similar to AWS we bill per server, per hour. Usage automatically accrued and measured by CloudPassage. A bill for your usage is provided at the end of each month. For details on Halo subscription plans and pricing, please visit

Q: Are security policies evolving with new security issues and what do you see future of incorporating security policies easily without spending too much effort.

The only way that the enforcement of security policies can span multiple deployment architectures is through centralized security orchestration. Disparate products with their own management portals become unmanageable as an organization’s compute footprint scales. Utilizing an always-on SaaS portal to interface with a cloud-hosted grid, like CloudPassage Halo, allows organizations to define and enforce policies from a browser or integrate, via our REST API, with existing orchestration tools.

Results of Quick Poll #2

Security and Compliance Best Practices for SaaS Companies

Q: Does CloudPassage support OAuth to facilitate secure access to cloud resources?

At this time, CloudPassage Halo supports Single Sign-On (SSO) via Security Assertion Markup Language 2.0. This allows us to easily integrate with the leading Identity and Access Management (IAM) vendors like OneLogin, Okta, and Ping Identity, among others.

Q: To launch ShareFile for health care, ShareFile must  be HIPAA compliant. Can you speak specifically to one or two features of Cloud Passage that simplified HIPAA-compliance?

As stated by Manuel Landrón on the webinar, using CloudPassage Halo file integrity monitoring and configuration security monitoring helps Citrix ShareFile with HIPAA compliance by providing continuous visibility into the security of the ShareFile cloud server instances.

Specifically, CloudPassage Halo helps ShareFile, as it pertains to HIPAA compliance in the above context, with 164.312(b) – Audit Controls, 164.312(c)(1) – Integrity, and 164.312(c)(2) – Mechanism to Authenticate Electronic Protected Health Information.

Results of Quick Poll #3

Security and Compliance Best Practices for SaaS Companies

On behalf of Carson Sweet of CloudPassage, Manuel Landrón of Citrix ShareFile, and Keren Elazari of GigaOm, thank you for attending the webinar, responding to the survey questions, and being an interactive audience.

Stay up to date

Get the latest news and tips on protecting critical business assets.

Related Posts