3 Questions Every SaaS Vendor Should Answer
SaaS security is a highly technical space that can be difficult for a business leader to understand. Nevertheless, businesses need to know be sure their technology vendors have a strong track record on security, and that they are investing to innovate on security in the future. There are three basic questions everyone should be able to ask a SaaS vendor to ensure their data is well protected.
- How do I manage who has access to what information?
Identity and access management is fundamental to protecting your company data. It is a system of procedures, policies, and technologies to manage lifecycle and entitlements of electronic user credentials. Your SaaS vendor should be able to describe how you can set this up to prevent people from accessing data they should not have access to. Your vendor should make it easy for you manage users in a way that complies with your internal policies via features like single sign-on (SSO), role-based access, custom password policies, two factor authentication and more.
- What kind of protection do I have over my applications and data?
Just because your applications and data are technically living in a data center outside of your organization doesn’t mean your vendor shouldn’t give you control over how they are protected. Your SaaS vendor should be able to tell you exactly where your data is stored and how it is protected. Data encryption is important, and your vendor should not only encrypt your data at all times (in motion or at rest),but should also offer you maximum control with options for managing your own encryption keys.
- How can I tell when something went wrong, and what do I do next?
People do strange things. What happens in your SaaS tool when an employee logs in and deletes a bunch of data before defecting to a competitor? Will you be able to tell who did what in the application? Trustworthy SaaS vendors should have built-in audit logging capabilities that allow you to see all activities any user has performed inside the application, and provide the necessary support to roll back changes in the event of a malicious or accidental incident.