How To Tell If a SaaS Provider Is Handling Sensitive Data Correctly

As companies show more and more interest in Software-as-a-Service (SaaS) so do their concerns about the risks associated with storing their sensitive data on poorly secured SaaS “cloud” servers.

The results of a 2012 Capgemini report showed the top concern for businesses considering a move to the cloud was the possibility of a data breach. Companies are rightly concerned about such breaches, in the backdrop of a flurry of reports of data breaches in recent times.

Data is an important strategic asset for any business, and its breach can be devastating. This means any SaaS provider worth consideration should centralize its efforts into maintaining high security and privacy standards for its clients’ data.

In this article, I’ll share what to look out for when considering how a SaaS provider will handle your precious data.

I’ll also cover the risks associated with storing your data with a poorly secured SaaS product.

Along the way, I’ll explain how to ensure that you’re making the right choices when it comes to selecting the SaaS provider to who you’ll be trusting your sensitive data.

What are the Risks?

While using a SaaS provider will undoubtedly offer you several advantages, such as less upkeep on your part, lower overall costs, and making things easier on your IT department and your users, there are several risks involved in migrating to SaaS.

• Data Access Risks

When you use a Software-as-a-Service provider, you are handing over your valuable data and other information to a third-party. If your data ends up in the wrong hands, especially your competition, it could be disastrous.

• Stability

Security and stability are significant factors to consider when deciding on a SaaS provider. In a continually growing market like that SaaS is experiencing you can expect to encounter providers that may have difficulty in keeping up with the growing demand. This could be a significant problem if the provider you select goes out of business down the road.

If your provider does shut down, you could be faced with issues such as data recovery, the portability of your data, and additional costs of finding a new provider. That equals a lot of time and your business money going down the drain.

• Security of Your Data

While a SaaS provider can easily discuss encryption protocols, 256-bit security, and more, it may leave the customer a bit confused. Logically, you know your data is being kept safe. But, just how safe is it?

In addition to how your data is protected while it’s being transmitted and stored, what about disaster recovery? What happens in case of a power outage or a natural disaster? Is your precious data recoverable? How long will it take to get back up and running?

There will also be ongoing concerns on how well a provider will keep up with modern security standards. You’ll need to make sure the provider responds promptly when security holes are discovered, and updates to their security protection are required.

Loss of Direct Control Over Your Data

While using a SaaS provider’s servers means you don’t have to spend time and employee resources to configure, set up, manage, maintain and upgrade software, you do lose total and absolute control over your data.

If something happens and you lose data, you won’t have any direct access to find out what went wrong. Instead, you’ll be forced to contact your service provider, then wait for their answer on what went wrong and for them to tell you what can be done about it.

• The Location of Your Data

Your SaaS may not disclose to you the locations of their data centers. This could cause issues for you down the line. Federal Information Security Management Act (FISMA) regulations state customers must store sensitive data within the borders of the U.S. This could lead to instances where you might not have access to your data if you’re outside the country.

• Lack of Transparency

SaaS providers can certainly be less than transparent about how they handle the security of their customers’ data. This lack of transparency can cause mistrust between the provider and its customers.

There are providers that will argue, and perhaps rightly so, that this lack of transparency on how they run their server operations helps protect the security of their customers.

However, there needs to be found as a happy medium between secrecy and data transparency. In this case, you do indeed want to know how the sausage is made!

What to Consider

• Security

When using a Software-as-a-Service provider keep in mind that all of your data will be residing on your service provider’s servers. Always take a close look at what type of safeguards a SaaS provider has in place to protect your company’s data.

Real World Security

• Site Security

Real-world security might not be the first thing that comes to mind when considering SaaS and cloud storage. However, if you’re using SaaS, your data is sitting on someone else’s hard drives. Those hard drives exist in a physical location, and that location should be kept secured from access by unauthorized personnel.

When a company is using its own servers, they consider things such as how their server farm is secured, which personnel has both physical and network access to the servers, and more.

Considering the security protection for SaaS should be no different. Always quiz any potential provider on how whether they own their servers, where they’re located, what type of physical security protects access to their server farms, and who has physical access to the farms.

• Disaster Recovery

Disaster management is also an important consideration when considering a SaaS provider. What types of disaster recovery plan does the provider have in place in case of fire, earthquake, or tsunami? (Hey, it could happen!)

Any provider worth consideration should have a solid disaster recovery plan in place. They should have a disaster recovery site set up in a location geographically separated from their primary location, and they should perform disaster recovery testing on a regular basis. They should also be able to provide an informed estimate of how long it will take to get things up and running again when disaster does strike.

• Backup and Recovery Guarantees

Make sure you understand how the SaaS vendor you’re considering approaches backups and recovery of your data. Make sure the agreement specifies the vendor is required to restore your data in case of disaster.

Important factors to consider in this department are the amount of time an application might experience and what kind of potential data loss might take place. You should always have some type of compensation coming your way if your vendor doesn’t meet your reasonable expectations.

• Virtual Security

Once you’re satisfied the servers holding your data are physically protected, it’s time to determine how well your data is protected from virtual access by malicious parties.

What type of access do you have to your data? Who else has access to your data? How well is your access protected against a Denial of Service Attack?

• User Access

Would it be possible for unauthorized users to gain access to your data via the vendor’s website? (In other words, does the vendor offer a login gateway on their website or is access performed strictly through a protected portal?

A website gateway isn’t necessarily a weak spot. However, it can be used as an important piece of any spoofing attack that might be conducted against a SaaS provider. (Some readers may remember the 2014 email spoofing incident that involved Salesforce. This is an excellent example of how a login gateway on a website can cause trouble.)

What type of authentication does the SaaS provider use to authenticate your users’ logins? Do they offer two-factor authentication (2FA)? Is the 2FA performed via an authentication app on a mobile device, is a link or code sent via email or text? Or does the provider supply SecurID key fobs?

Check to make sure you can configure SaaS logins to come through a portal, like your company’s enterprise portal. Portals that are accessed via a VPN are a security plus. (A VPN is always a plus when it comes to security.)

• Data Encryption

You’ve made sure access to your data is secure. Now, what about the security of the data itself? Always make sure your data is protected by encryption, both while it’s being transmitted and while it’s stored on the provider’s hard drive.

Data should be encrypted using a strong algorithm, such as offered by AES-256. Also, make sure your backups are encrypted for extra protection.

Find a provider that is open about their security and encryption procedures. Sure, they can’t spill all the beans on how things are secured, but they should be able to supply enough information to put your mind at ease. Microsoft, for example, has done a top-notch job of being transparent about their security measures.

Data Ownership

While SaaS buyers may logically expect that they own their data, there have been cases where the companies have been in for a big surprise when they terminated their relationship with their provider.

Make sure all contracts clearly specify what, if any fees are connected with getting back your data at the end of a contract, It would be a good idea to use a business contract example to help you draw up a suitable contract. Also make sure it is clear that in addition to all of your data, you also retain ownership of any proprietary code and customizations you may have put in place during the agreement’s run comes with you at the end of the day.

Data Usage Analysis

Many SaaS vendors keep track of their users’ data (anonymously) across multiple clients. This allows the vendors to determine their research and development roadmaps and enables them to benchmark areas such as application usage, sales pipeline metrics, customer service wait times, and much more.

While this is a reasonable way to do business, customers should be provided with information about the data being captured by the provider, plus any possible benefits the customer might gain from the gleaning of their information.

Uptime and Performance

Be sure your SaaS service contract details expectations for application uptime. While a provider may make some off-hand guarantee of “99.5% uptime”, make sure the provider can supply documentation of previous uptime performance. Push for a performance guarantee.

By the way, a 99.5% uptime guarantee means you might reasonably expect to not have access to your data for almost two days out of the year. It doesn’t sound so great when you put it that way, does it?

Support

One benefit of Software-as-a-Service is that companies can move some of their help desk and support burden over to the SaaS provider. While this includes the traditional support calls and bug fixes duo, SaaS vendors should also offer additional support services such as password resets and other system health-related checks.

Always make sure the vendor specifies what types of support you can expect, (such as text, email, phone support, or online chat), and which users will have access to the support. (Management, base users, supervisors. etc.)

In Closing

While Software-as-a-Service is an excellent option for many businesses, there are pitfalls along the way that must be dealt with. The security of your company’s data is of utmost importance, and any concerns you have must be dealt with before agreeing to any contract with a SaaS provider.

Make sure all of your concerns are addressed before signing on the dotted line. Pay close attention to every security-related consideration, treating each concern with the utmost care. By doing so, you feel upbeat as your valuable data is in a safe haven!