Are SOC2 / ISO 2700x / HITRUST Attestations Enough for PaaS / SaaS Providers

 The short answer is, not alone.  Attestations outside of penetration testing reports, or the ability for an org (that desires to provision said provider's services) to run a vulnerability scan, are not acceptable.

As an individual who has provided internal security assessments, as well as many external, the scope of attestation much too often is extremely limited in scope.  Therefore, these reviews do not provide an adequate benchmark of security &/or privacy compliance or posture.

So, kick the proverbial tires; while not requiring an expensive onsite audit....

     

SaaS AI & Privacy

Salesforce's AI platform, Einstein (https://www.salesforce.com/products/einstein/overview/), may present some privacy concerns.

As a SaaS service the question begs on whether multi-tenancy data will be included in the analysis.

Will GDPR, U.S., Privacy Shield, HIPAA, PCI DSS requirements be included?  If so, it would behoove Salesforce to include details on de-identification.