Assessing SaaS? 3 Security Questions to Ask.

by Chris Magill on February 2, 2017

As more enterprises undertake digital transformation, cloud services and solutions are one of the top technology investments that CIOs plan to make this year. Yet security and privacy remains the top concern for CIOs going into 2017. This doesn’t mean that CIOs should rethink their strategy, but it does reflect the need for thorough vetting of security for any cloud services or solutions IT buyers plan to add to their portfolio.
​
Here are three questions to ask when assessing SaaS software to get a clearer picture of security:
​​

Has the company submitted itself to independent assessment, and are they willing to share the results with you?

This first question is a big one, because it not only demands that the SaaS service meets the top security criteria available, but also shows how transparent the company is willing to be when it comes to security issues.

There are at least two assessments we require for any SaaS service that we approve of for employee use here at Smartsheet (and we hold our own service to these assessments as well):

• SOC 2 Type 2 Audit – Have they subjected themselves to an independent audit with AICPA to show that they do what they say they’re going to do with regard to security, availability, processing integrity, confidentiality, and privacy?
• Penetration Test – Have they had an independent security company test their security, product, infrastructure, and processes?

If their answer is yes, and it should be, ask if they’re willing to share the results of those assessments. What you want to learn here is the results of the assessments, any weaknesses that they demonstrated, and what the company has done to respond to those findings.

A few follow up questions to ask: If something goes wrong, and there’s a threat to security, when and how will the company notify you of an incident? How will they work with you to resolve it?
​

Was the service designed with security in mind?

When assessing SaaS companies, find out if the product was designed with security in mind, or if it’s a bolt-on. Look for software with security built in early on; otherwise, developers are spending their time plugging holes rather than building a great ship.

Find out if the software was designed with intrusion prevention built in and engineered with the ability to block malware from executing, or if there’s a third party control, or if it’s up to you as the customer to take on security controls. After market security is a risk you should think hard about. Giving third-party vendors access to your network and data can have weighty consequences.
​

Is there redundancy in their data recovery?

In addition to verifying transparency and data security, it’s critical to find out if there is redundancy in the SaaS company’s data recovery. Are there multiple paths to disaster recovery? Does the company have an API available for you to run your own backups? Will you have the ability to create your own backups on-demand or on schedule? In addition to your own backups, are there retention copies that the SaaS company makes on your behalf in case of disaster?
​

From Assessment to Purchase

The answers a company gives you to these questions, in addition to any specific requirements questions you have for them, will help give you a clearer picture of whether you would like to bring them under your IT umbrella and roll them out across your organization. Listen carefully, and make sure you really understand what it would mean to your company to rely on that SaaS vendor.

Source: Smartsheet Blog
​