3 Critical Security Questions to Ask Your SaaS Vendor

Perspectives
Sep 27, 2018
|
7 Min Read
Image of Storm Trooper watching over a house from the front window

Security questions haven’t always been top-of-mind for business leaders buying SaaS tools, but they should be. SaaS applications are eating the world of software, with over 19,000 SaaS, PaaS, IaaS companies now clamoring for your business1. And almost all SaaS purchases are driven by business workers, not IT. In fact, Cisco found that at large organizations, 98% of SaaS software was purchased and maintained without any IT intervention.

Business leaders turn to SaaS tools because they are easy to buy and fast to deploy. Rather than sitting through a four-hour requirements meeting with their IT team, they can sit through a flashy vendor demo and get a purpose-built solution up and running almost as soon as they can get their hands on a corporate credit card.

In short, there’s no reversing this trend now. Business people are going to continue to purchase and run their own software tools. This is great for solving problems quickly, but not as great for ensuring sensitive company data is kept safe. With so many options — and so little oversight from IT — it’s easy for organizations to accidentally put their data at risk by selecting a vendor that fails to meet basic security requirements.

Image of an alert reading
“Buyer beware: Many SaaS platforms spend a lot more on marketing videos than advanced security features.”

The Risks are Real

Because SaaS vendors will, by definition, host your company’s data on their servers, even the most technophobic business leader should carefully consider the risks. The disruption caused by data breaches, data loss, denial-of-service attacks, downtime, and more can be catastrophic for any organization.

According to security vendor McAfee, fewer than 1 in 10 cloud services meet minimum security requirements. On average, large organizations experience 23 outsider threats and more than 10 insider threats each month. And with new SaaS vendors popping up all the time, how can a business leader trust that they’ve invested as much in their security practices as they have in their marketing videos and pitch decks?

3 Questions Every SaaS Vendor Should Answer

SaaS security is a highly technical space that can be difficult for a business leader to understand. Nevertheless, businesses need to know be sure their technology vendors have a strong track record on security, and that they are investing to innovate on security in the future. There are three basic questions everyone should be able to ask a SaaS vendor to ensure their data is well protected.

  1. How do I manage who has access to what information?

Identity and access management is fundamental to protecting your company data. It is a system of procedures, policies, and technologies to manage lifecycle and entitlements of electronic user credentials. Your SaaS vendor should be able to describe how you can set this up to prevent people from accessing data they should not have access to. Your vendor should make it easy for you manage users in a way that complies with your internal policies via features like single sign-on (SSO), role-based access, custom password policies, two factor authentication and more.

  1. What kind of protection do I have over my applications and data?

Just because your applications and data are technically living in a data center outside of your organization doesn’t mean your vendor shouldn’t give you control over how they are protected. Your SaaS vendor should be able to tell you exactly where your data is stored and how it is protected. Data encryption is important, and your vendor should not only encrypt your data at all times (in motion or at rest),but should also offer you maximum control with options for managing your own encryption keys.

  1. How can I tell when something went wrong, and what do I do next?

People do strange things. What happens in your SaaS tool when an employee logs in and deletes a bunch of data before defecting to a competitor? Will you be able to tell who did what in the application? Trustworthy SaaS vendors should have built-in audit logging capabilities that allow you to see all activities any user has performed inside the application, and provide the necessary support to roll back changes in the event of a malicious or accidental incident.

The Bottom Line

SaaS applications are tipping the scales in favor of agile businesses, and there’s no reason to sacrifice security in order to reap those benefits. At Quick Base, we’ve spent over 15 years building a platform that puts maximum power in the hands of end users, so offering world-class security at the same time is a must. We believe everyone deserves the same from every SaaS vendor.

References

  1. Crozdesk Saas and Cloud Startup Report 2018

Recomended Posts