Patrick Walsh
Originally published at blog.ironcorelabs.com.

SaaS Trust Models for Security and Data Privacy

Zero-trust models are the ultimate in privacy but are rarely an option. But it doesn’t have to be either zero-trust or full-trust. There’s a sliding scale of trust models in the middle. Here’s why these models also have value.

Trust. It’s what powers business. Consumers and businesses buy from brands they trust. But in the world of software-as-a-service, trust is about far more than brand reputation.

Our natural inclination is to trust the brands that our peers trust. This is why large companies are able to keep selling software even when their products stagnate. But even large companies need to watch out for the trapdoor at their feet and the thing that can turn their biggest advocates into their loudest critics: privacy.

Privacy is becoming a reason for consumers to purchase a product, in the same way that “organic,” “free trade” and “cruelty-free” labels have driven products sales in the past decade.— Gartner

Zoom recently discovered this the hard way, when users learned that their security and privacy expectations weren’t being met.

What is the purpose of a trust model?

Trust models at a general level can be applied in many different settings. In cryptographic settings, there are very explicit attack models that serve as shorthand for understanding what different actors in secure protocols can or cannot learn. These have names like, “Adaptive chosen-ciphertext attack (CCA2).” These are incredibly useful when evaluating cryptographic protocols against need, but we lack a similar way to talk about SaaS offerings.

Having a common language and definitions make conversations about data privacy needs and requirements much easier. Different needs lead to different models and there’s a rich spectrum to choose from depending on use cases.

For example, Customer Managed Keys (CMK, aka Bring Your Own Keys or BYOK), when done right, is a trust-but-verify model. This means the customer has control of a master key or keys for decrypting the data that their service provider holds and can see when their data is accessed. The service provider does not have access to this data without the ongoing consent of their customer.

What are the SaaS trust models?

There are a number of models that are in widespread use today, though they aren’t often named as such. It’s worth noting that we sometimes see a mixture of models depending on the data or on the level of service. For example, Salesforce offers stronger trust models if you pay a premium for their Salesforce Shield features.

Here are the models we see from most common to least common:

In many cases where IronCore has worked customers, there is a mixture of trust models. For example, it may be that attachments follow a zero-trust model while sensitive or regulated data follows a trust-but-verify model. For the purposes of these models, we generally ignore data that a customer would not deem to be private.

Asking the right questions

Perhaps with a shared language, we can all better evaluate service providers according to how much trust we must grant to them if we use their service. The right answer depends on what data we’re entrusting, what harm could come from a curious admin or hacker, potential regulatory penalties, and more. But taken together, we can better evaluate the risk we take in partnering with a SaaS provider.

Questions worth asking a service provider as a potential customer:

These questions are the starting point for evaluating trust. Unfortunately, in most cases today, the answers to these questions mean you must fully trust the service provider. But as customers of SaaS mature in the questions we ask and how we evaluate businesses, more and more SaaS companies will up their trust game by reducing the amount of blind trust required to use their service.