Software as a Service (SaaS) solutions has been booming in the recent many years. This trend doesn’t seem to stop for the time being. Quite the reverse, the SaaS market will grow in the coming years according a report from Gartner. Your company has probably already SaaS solutions implemented, but I can guarantee that you’ll get even more SaaS solutions in the future. With good reason, since you’ll get access to fast, stable, innovative and cost-efficient technology and application infrastructure.
Your company need to consider several factors before deciding to invest in a SaaS solution. Dorthe, one of our skilled consultants, has previously written an article about conditions that help to ensure a successful implementation of a SaaS solution. It’s certainly important to examine how the software is implemented but the factors; functionality, economy and data security are equally important. What needs must the solution support, what does the economy look like and are data being processed securely by the vendor?
I look specifically at the security aspect in this article. It can quickly become a bad and expensive experience if the chosen vendor aren’t up to the task and doesn’t live up to its responsibility’s regarding data security.
New technologies, more data, increased risk
Danish companies are embracing new technologies and solutions in a large scale. With them, a larger and larger amount of data are running through the solutions. The large amounts of data also pose a greater challenge in securing data according to the report “Global Data Protection Index” by Dell Technologies.
71 % of the IT decision-makers surveyed in the report says that new technologies such as artificial intelligence and 5G and edge infrastructure makes data protection more complex. They also respond that the new technologies potentially pose a real threat to data security.
This help to emphasize the legitimacy of the blog post; be thorough when researching how SaaS vendors process your data.
Who is responsible for the data security?
Data security is a broad term and covers everything from firewalls, password control, software updates, backup, personal data, etc. In this blog post, I’ll primarily address the protection of the data that runs through the relevant SaaS solution.
Different systems manage different types of data. For instance, CRM systems is managing customer data while salary systems are managing salary- and personnel data. At Acubiz, we manage credit card data, invoice data and data on employees’ time consumption if our solution for digital time registration, Acubiz Time, is being used.
I’ve mentioned this phrase in some of my previous blog posts. But it’s important and therefore I’m repeating it every time I get the chance to do so: You and your SaaS vendor share the responsibility for data security. The vendor takes care of everything related to the underlying infrastructure, while you’re responsible for proper, secure and safe usage of the application.
Meaning that the SaaS vendors naturally take on the responsibility for keeping the customer’s data in a secure environment. That is, making sure that the server setup is secure, that firewall measures are installed, that data is encrypted, that backup and recovery procedures are in place, that the software is continuously updated, that internal processes for data processing is in order, etc. The company has to make sure that users do not reuse passwords or write them down accessible places. Instead, they must ensure that users are aware of how to protect themselves, their identity, username and password.
What safety aspects do you need to consider?
SaaS solutions can hold a large amount of business- and personal data. And since they can be accessed from any device by many users at the same time, they can potentially pose a significant security risk. Therefore, it’s important that you remember to do your preparatory work and examine the SaaS provider’s approach to data security. I can’t emphasize this enough. The truth is that it’s desirable to avoid a security breach – both for the SaaS vendor and for you as a company.
SaaS vendors are well aware of this. That’s why the vast majority have both solid and strong security measures in place and a huge focus on data security. They often use sophisticated and secure cloud infrastructures that are monitored and controlled day and night. Let’s go through some aspects that you can consider when you’re on the market for a new SaaS solution.
1. How are the vendors internal processes for data processing?
Most can agree that e-mails containing customer- or personnel data shouldn’t be flying back and forth between employees or partners with no safety measures in place. SaaS vendors must continuously test and validate their own processes to ensure the correct handling of your data. And at the same time, they must make demands to hosting partners, business partners and other vendors with whom they may collaborate. It’s important to define who and how many people that have access to specific customer data. Likewise, it’s important to have documented data management processes in place in order to provide the right data security.
Then you might think; “How do we find out?”. And that’s a good question, where the simple answer is to ask the vendor about their internal processes. Or to investigate whether the vendor is getting carried out external audits of its procedures, and therefore can present certifications that document a secure approach on data processing. The certification can for example be an ISAE 3402 Type II, ISAE 3000 or an ISO 27001 certification. The former is a certification that Acubiz has received since 2016. The certification is an international standard used by IT service providers, where a high degree of security and control is required.
2. Make data processing agreements with the SaaS vendor
This aspect is linked with the previous in relation to examine whether the SaaS vendor comply with current security requirements and standards – including requirements for storage and processing of personal data, cf. the EU General Data Protection Regulation.
I strongly recommend that you make sure to enter data processing agreements with your SaaS vendors. A data processing agreement is an agreement between two companies that describes how the company, that processes the data, should process data. Remember that the data processing agreement must meet the various requirements and interpretations, which applies in those countries where you do business. The data processor can also enter data processing agreements with subcontractors.
Without a data processing agreement, you might end up in a difficult situation if the data security of the vendor is breached. Violations and breaches must be reported to the Danish Data Protection Agency. Off course, the consequences of a data security breach for those involved depend on the type of breach. It can potentially lead to identity theft, financial loss, removal of pseudo-anonymization, loss of confidentiality, etc.
Obviously, a data processing agreement doesn’t prevent a breach from happening but it does ensure that there’s a process in place to take care of it and a description of how data is processed.
3. What does the SaaS vendor offer in terms of additional security-enhancing measures?
Investigate if the SaaS vendor offers services that can strengthen the security further. Access control through Single Sign-On is an example of a service that help in keeping data secure.
Single Sign-On is access control of several related, but independent, IT systems and applications. The company can give the user access to multiple systems with just one login. It increases data security, as identity and access control can be controlled both centrally and internally. At the same time, Single Sign-On reduces the number of different usernames and passwords among users, the time spent entering login information and fewer inquiries to the IT department regarding forgotten passwords. In Acubiz, we can offer both Single Sign-On for our web and mobile application, which creates benefits for both our users and customers.
The configuration of Single Sign-On requires access to your Active Directory Federation Services (ADFS) infrastructure. Single Sign-On isn’t by itself a comprehensive security measure which at once increases your data security significantly. But along with other security measures, it helps to upgrade and improve your overall data security.
I recommend that you look for SaaS vendors who can offer additional security measures than what is merely “need to have”. It could be Single Sign-On but it could also be a solution for digital archiving for instance.
Here’s what to keep in mind
You’re well on your way to find a SaaS vendor who takes their data security responsibility seriously, if you can put a check mark next to this:
- The SaaS vendor is in control of internal data processing processes and may have an ISAE 3402 Type II certification or similar
- The SaaS vendor offers, up front, to enter a fully covering data processing agreement
- The SaaS vendor can offer additional security measures beyond what is “need to have”
Besides the above, it’s a prerequisite that the SaaS vendor is in control of the “basics” like firewall installations, data encryption, software updates, etc. And this has the vast majority. At Acubiz, we are very aware of our responsibilities regarding our customers’ data security. We believe that a strong data security setup serves the purpose of protecting the trust and the investment, that our customers have made in our service for expense management.
