There’s a lot of advantages with Software-as-a-Service (SaaS), or what’s also called Cloud-based software products. As a customer, you’ll get access to fast, stable, innovative and cost-efficient technology and application infrastructure. Many organizations acknowledge these benefits. That’s why SaaS have become the preferred delivery model in many areas. But as we all know, there’s usually also a flipside to the coin, that needs to be considered.
When it comes to SaaS, the circumstances related to data security might easily be that flipside, and therefore it’s a very important factor to investigate.
The question is: “Have you done a thorough preparatory work, when it comes to evaluating your SaaS providers’ approach to data security?”
Cloud or on-premise?
Most of you are probably already aware of what cloud and on-premise stands for, respectively. But in order to further set the scene, I’ll briefly outline the differences between the two delivery models. In a cloud-based approach, software and data is provided off-site. On the contrary, when we talk on-premise, the whole setup with hardware and servers needed to run applications and store data is housed by yourself – hence the name, on-premise. The main advantage with the cloud approach, is that it’s more flexible and cost efficient. As a business, you don’t need to invest in the necessary hardware or software, that’s needed to run applications. Also, you don’t need to worry about maintenance and updates of the respective software products. However, you sacrifice the ability to stay in full control with the approach to data security.
When we’re talking SaaS, you and your vendor share the responsibility for data security – the vendor takes care of everything related to the underlying infrastructure, and you’re responsible for proper, secure and safe usage of the product.
The question is: “Can you trust that your SaaS provider is serious about his part of the job?”
What you need to consider
I’ve got 3 tips lined up for you, when it comes to security and SaaS solutions. They’re relevant both if you’re looking for new software and are out analyzing the market, but also if you consider auditing your existing providers. By the way, that’s a good thing to do from time to time.
All right, here we go:
1. Choose your SaaS vendors with care
The first tip is, in my opinion, the most important. It’s about trust.
The supply of SaaS based solutions is massive. You’ve got plenty of options. As an example, within our area of expertise, Expense Management and solutions for managing travel expenses, there’s many options to choose from nowadays. Fact is, that a large part of the responsibility for data security lies with the software vendor, so you need to be careful, when you choose who to work with.
You’ll need to look for vendors, who’s offering solid control with user rights and data access in the solution and, if possible, it’s also a plus if the vendor can offer data encryption. It’s also important that you ask where and how data is stored. Is data kept domestically, in EU, outside of EU or in a basement somewhere? What characterizes the server setup and the security around this? Also, you’ll need to check how the process related to backup and data retrieval works.
You’ll also always need to make sure that your suppliers have well defined internal processes for data processing in place. It’s important that these processes are compliant with current legal requirements and standards, including the requirements for storage and management of personal data according to GDPR. For example, you can investigate whether the respective suppliers conduct an external audit of their processes, and thereby are able to present certifications, that’ll document a serious approach to data management and security. This could be an ISAE 3402 Type II, an ISAE 3000 or an ISO 27001 certification. Finally, you’ll need to secure that a solid Data Processing Agreement (DPA) is signed between you and your SaaS suppliers. Without DPA’s in place, you can end up in a difficult situation, if a fatal data breach happens at the supplier side.
Also remember, that it isn’t without cost for a SaaS provider, to establish and maintain a strong security setup with well documented processes. Therefore, I’ll advise you to think twice before you go and choose the cheapest solution on your shortlist – it can end up as an expensive affair in the long run!
2. Implement rules for the use of cloud-based applications
This tip is related to your part of the job – in other words, it’s about the appropriate safe use of the SaaS products. You’ll have to formulate and implement a clear policy and a ruleset for the usage of cloud-based software.
Ideally, this policy must both address the users and the decision makers, that buys software. It’ll have to be a ruleset, that defines what type of employees that’ll be granted access to the respective tools, and what access levels the various employees should be granted. Also, it must specify, how the products can be accessed – i.e. through which devices.
Also, a policy like this, should be linked to the way your business educates the employees in the correct behavior related to the use of internet-based software solutions. For example, how does the employees protect themselves, their identities, usernames and passwords in the best possible way?
3. Consider if you need a separate tool to protect your SaaS data
Perhaps you’re already using SaaS products from multiple respected vendors with strong security measures. But at the same time, perhaps your application landscape has become so complex, that it’ll now make sense to invest in your own security layer.
This tip obviously comes in close connection with tip number 2, because there’s solutions in the market, that’ll help you manage your part of the security task. However, it’s a good idea to have the framework with rules and policies in place (according to tip number 2) before you begin to look for at tool, that’ll help you enforce them. Security breaches can happen in a lot of different ways, for example through inappropriate sharing of data, theft (like employees stealing data), compromised user accounts due to poor password strengths, excessive user permissions etc. These are the kinds of breaches, that you’ll need to deal with.
The point is, that when you implement rules for the usage of your organizations cloud-based tools, then you’ll also need to make sure, that your employees comply with the rules. And this can be a challenge, if the landscape has grown large and complex. There’re quite a few solutions out there to assist you with this, and for a start, you can check out what some of the big players, like McAfee and RSI, has on offer.
A shared responsibility
As I touched upon earlier in this blog post, you and your vendor have a shared responsibility for data security, when it comes to SaaS solutions. In my opinion, this is important to remember. And that’s where I’m going with these 3 tips. So, no matter how careful your own organization might be around SaaS security, it’s has no impact, if you’ve chosen a vendor, who isn’t up to his part of the task. And the other way around, of course.
My business, Acubiz, is a well-established supplier of cloud-based software for managing employee expenses and travel expenses. We’re serious about our part of the job related to data security. Very serious indeed. It’s an important component in our product strategy, because we believe, that a strong data security setup serves the purpose of protecting the investment, that our customers have made in our service.
Remember, you’re allowed to place demands on your vendors. That’s how it should be in a relationship of trust.
The question is: “Do you trust your current SaaS vendors?”