Security questions haven’t always been top-of-mind for business leaders buying SaaS tools, but they should be. SaaS applications are eating the world of software, with over 19,000 SaaS, PaaS, IaaS companies now clamoring for your business1. And almost all SaaS purchases are driven by business workers, not IT. In fact, Cisco found that at large organizations, 98% of SaaS software was purchased and maintained without any IT intervention.
Business leaders turn to SaaS tools because they are easy to buy and fast to deploy. Rather than sitting through a four-hour requirements meeting with their IT team, they can sit through a flashy vendor demo and get a purpose-built solution up and running almost as soon as they can get their hands on a corporate credit card.
In short, there’s no reversing this trend now. Business people are going to continue to purchase and run their own software tools. This is great for solving problems quickly, but not as great for ensuring sensitive company data is kept safe. With so many options — and so little oversight from IT — it’s easy for organizations to accidentally put their data at risk by selecting a vendor that fails to meet basic security requirements.
Because SaaS vendors will, by definition, host your company’s data on their servers, even the most technophobic business leader should carefully consider the risks. The disruption caused by data breaches, data loss, denial-of-service attacks, downtime, and more can be catastrophic for any organization.
According to security vendor McAfee, fewer than 1 in 10 cloud services meet minimum security requirements. On average, large organizations experience 23 outsider threats and more than 10 insider threats each month. And with new SaaS vendors popping up all the time, how can a business leader trust that they’ve invested as much in their security practices as they have in their marketing videos and pitch decks?
SaaS security is a highly technical space that can be difficult for a business leader to understand. Nevertheless, businesses need to know be sure their technology vendors have a strong track record on security, and that they are investing to innovate on security in the future. There are three basic questions everyone should be able to ask a SaaS vendor to ensure their data is well protected.
Identity and access management is fundamental to protecting your company data. It is a system of procedures, policies, and technologies to manage lifecycle and entitlements of electronic user credentials. Your SaaS vendor should be able to describe how you can set this up to prevent people from accessing data they should not have access to. Your vendor should make it easy for you manage users in a way that complies with your internal policies via features like single sign-on (SSO), role-based access, custom password policies, two factor authentication and more.
Just because your applications and data are technically living in a data center outside of your organization doesn’t mean your vendor shouldn’t give you control over how they are protected. Your SaaS vendor should be able to tell you exactly where your data is stored and how it is protected. Data encryption is important, and your vendor should not only encrypt your data at all times (in motion or at rest),but should also offer you maximum control with options for managing your own encryption keys.
People do strange things. What happens in your SaaS tool when an employee logs in and deletes a bunch of data before defecting to a competitor? Will you be able to tell who did what in the application? Trustworthy SaaS vendors should have built-in audit logging capabilities that allow you to see all activities any user has performed inside the application, and provide the necessary support to roll back changes in the event of a malicious or accidental incident.
SaaS applications are tipping the scales in favor of agile businesses, and there’s no reason to sacrifice security in order to reap those benefits. At Quick Base, we’ve spent over 15 years building a platform that puts maximum power in the hands of end users, so offering world-class security at the same time is a must. We believe everyone deserves the same from every SaaS vendor.