July 9th, 2020
Subscribe to our blog and stay up to date
While commercial software as a service (SaaS) products have been around for more than two decades, the market has grown significantly in the past few years. According to Gartner, SaaS revenue is expected to grow to $133 billion in 2021, up from $87.5 billion in 2018.
Organizations are moving from on-premises to SaaS applications to save money, give employees more choice in the tools they use, and preserve IT resources. When choosing SaaS vendors, factors like price, uptime, and service are all important, but your priority should be security. The purpose of this piece is to provide guidance on how to evaluate the security policies of potential SaaS vendors.
First, let’s think about application security in the on-premises environment. For the most part, after licensing technology from a vendor, the work of hardware and software installation, managing the software on company servers, upgrades, security, and disaster recovery all fall on the shoulders of internal IT staff. In the SaaS model however, the vendor takes on the brunt of this work--configurations, software updates, security, and management--pushing them to the client through a cloud platform.
It’s likely that a SaaS vendor will have access to at least some of your company’s sensitive information, so it’s important to work with organizations you trust. Not doing your due diligence could end up costing your company millions of dollars, and possibly put you out of business.
In addition, the simplicity of purchasing SaaS applications (just creating an account on a website), creates an environment that could put your company at risk for additional exposure. Companies with between 200 and 500 employees use on average 120 SaaS applications. You need to be able to manage all of these services in a consistent manner, and know that individual vendors keep clients’ security needs at top of mind.
You can start your assessment of any SaaS vendor by looking at how they handle situations directly related to their clients. Here are factors to consider:
We live in a world where data breaches have become commonplace. While vendors should try hard to prevent these events from happening, the next best thing they can do is have a plan for what comes next. A SaaS vendor should be able to tell you how much time it will take them to notify a client after a breach, their plan to fix or respond to it, and their policies around financial liability if they are at fault.
Your organization likely does its own periodic security audits to evaluate your own network, infrastructure, and application usage. Reliable SaaS vendors do the same. Potential vendors should be willing to share what they evaluate, how often, and how it relates to protecting client information.
Employees use an average of eight SaaS applications, not to mention the on-premises applications they have to access as well. If you are using single sign on (SSO) or identity and access management (IAM) tools to manage employee access, a new SaaS application needs to integrate with them. Make sure any vendor is compatible with the security tools that you already use.
While a vendor doesn’t have to disclose to you the state of its finances or if it's looking to be acquired, it should be able to tell you its plan for your data if it goes out of business or changes ownership. You do not want to be in a situation where you cannot access sensitive information, or have to go through another party to obtain it.
Now, let’s look at the more technical side of a SaaS vendor and think about how their software is made, how it’s serviced, and how other companies use it.
Ask your vendor if their product is built with proprietary, unique code or if it was built partially with open source software (OSS). This is important to know because open source-related security breaches increased 71 percent between 2014 and 2019. The infamous 2017 Equifax security breach was traced to a known vulnerability in open source software that should have been patched by the company’s IT team.
There’s nothing wrong with using OSS components, but a vendor should stay informed about known flaws and vulnerabilities and fix them as soon as possible.
Security should not be an afterthought for a SaaS vendor. Ask how their engineering teams factor security into the development process. Do they have a dedicated resource for it? Where does security testing fit into the development lifecycle?
A salesperson may not always have an immediate answer to a technical question, but their organization should have a process in place to relay technical questions to the person best suited to answer them. This same process should be used for client service teams. Be wary of sales teams that rely on marketing materials instead of finding the correct answers to prospects’ questions.
Potential SaaS vendors should be able to provide you with references of companies that are using their applications. Preferably these companies should be of similar size and industry to you. This will give you an opportunity to speak with a technical leader who can discuss the SaaS vendor’s ability to deliver and if they have any concerns about the quality of service.
Depending on your organization’s industry and location, you may be subject to regulations like GDPR, CCPA, or HIPAA. Your SaaS vendors must have policies in place that keep them in compliance with these regulations as well.
It is not enough for a vendor to simply have a logo or short statement on their website that says they are in compliance with the most common regulatory frameworks. If asked, they should be able to provide you with documentation about what they are doing to meet the specific components of these requirements.
What all of these recommendations have in common is that they require openness and transparency from the vendor. SaaS vendors should take security as seriously as you do. If they are unwilling to provide information about how they keep clients’ information safe, they may not be the right partner for you.
Figuring out all your bases to cover is not an easy process to navigate, especially in times like these— and that’s why Electric is here to support your organization.