When evaluating Software as a Service (SaaS) solutions one of the most important things to consider is security.
Our customers usually ask about security as part of their evaluation process. We thought it would be interesting to compile our list of the top 5 questions to ask. When using a SaaS solution your information will pass through several systems. Your data will be passed from an application front end (often a web browser), across the Internet to a server in a data centre where it will be stored. Each step in the process has risks associated with it. Each risk has precautions that should be used to mitigate it.
1. What security features are built into the application?
The provider should be able to explain how the authentication (to identify who a user is) and authorization (to identify what a user is allowed to see) systems work within their application.
They should also be able to explain what audit systems are in place, so that there is a way to determine how changes to your data occurred.
They should also be able to give details of how they perform Quality Assurance (QA) to test the security of the application.
2. How is communication across the Internet secured?
Any sensitive data should be transferred using the https rather than http protocol. This guarantees that your data cannot be intercepted and understood by a third party. The https protocol requires use of an SSL certificate from a provider such as Thawte. SSL Security costs are a small price to pay in order keep your data secure.
3. How secure is our data on your servers?
Using a SaaS provider usually means that your data will be held in a location that is not under your direct control. The provider should be able to give assurances about the standard of security they adhere to. This information should include:
• What system testing is performed to ensure the data is secure?
• How do you track who has access to our data?
• What policies and procedures are in place to ensure that data is disposed of securely?
• What physical controls are there to limit access to the datacentre where your data is held?
• Where is my data physically held?
You should be aware of what data privacy laws exist in the country where your data is held; and your company may have rules around what data can leave the country.
4. What accreditations do you have?
Accreditations show that the provider takes security seriously, and have been audited by a 3rd party.
There is a range of accreditations relating to the security standards in place. For example, ISO 27001 for Security Management and ISO 20000 for Service Management, BS25999 for Business Continuity and Data Recovery. You can also ask about what other customers they have which may require a high level of security, for example the UK Government give services a ranking according to how secure the data they are cleared to hold.
5. What is your Disaster Recovery Plan?
Although we hope a Disaster Recovery (DR) plan never has to be carried out, it is important that one is in place. Understanding the DR plan ensures you can assess the potential impact on your business.
Your email address will not be published. Required fields are marked*