6 Things You Should Look for When Selecting a Secure SaaS Vendor
May 29, 2019
5 minute read
Selecting the right SaaS vendors can prove instrumental in propelling your organization to the next level. However, that’s only one piece of the puzzle. You also need to select vendors with the right security measures in place.
This is especially true if you are giving them access to other SaaS applications that are critical to your organization or process sensitive information. Granting a SaaS vendor permissions is like granting access to an account shared by a group of users instead of just one—it dictates the need for more confidence and trust. After all, without proper security, even the best service rapidly loses value when its carelessness could ultimately result in your organization appearing in the headlines.
But how do you know if a SaaS vendor is secure? We sat down with BetterCloud’s Security Compliance Director Mosi Platt to find out. He shared some key things to look for:
1. The vendor presents certified alignment to an accepted security framework.
There are a number of different published frameworks (Trust Service Principles for SOC 2, CSA CCM, ISO 27001, NIST CSF, PCI DSS, CIS Controls) that outline guidelines and best practices to manage security risks. Alignment to a framework serves as the plan, but accountability is what ultimately leads to mature security programs. Third-party certification demonstrates accountability. It proves that a vendor has strong security practices in place—that they do what they say.
What security rules does the SaaS vendor follow? How are they managing those rules? Make sure their rules are based on an internationally recognized and accepted standard for security, such as ISO 27001 or the Trust Service Principles for SOC 2.
While an ISO 27001 certification says you meet specific security requirements, it doesn’t say how in the way a SOC 2 report does. It’s the rigidity of SOC 2 compliance that makes it an important consideration for choosing a SaaS provider.
2. Necessary compliance certifications are in place.
Depending on your industry or geographical region, various regulatory bodies have compliance guidelines in place (e.g., PCI or GDPR). Before using their product, you need to make sure that your SaaS vendor complies to avoid putting your organization at risk.
SaaS vendors can certify their compliance by providing a self-assessment or independent audit report. A self-assessment typically indicates a lower level of maturity in the vendor’s compliance or even the compliance requirements themselves (e.g., a new standard or regulation). A compliance report from an independent third party will provide you more assurance, but likely at a higher cost for the service.
3. There is a clear dedication to information security.
There are key qualities that demonstrate whether or not a SaaS vendor is serious about information security. For instance, having a dedicated security team with defined roles and responsibilities is a clear indicator that an organization is committed to accomplishing its security goals.
It is also important to know that they are taking steps to bring in the right people—employees who pass background checks, who don’t pose an insider threat. They need to be vetting and training their people. Ongoing educational campaigns, like simulated phishing attacks, instill a culture of security and help mitigate risks.
Access control is also a vital component to information security, and it cannot be an afterthought. Access control only works when precautions are in place to ensure that the right people have access to the right information when they need it.
Are they using secure passwords to protect their access so that no one else can impersonate them? Do they have a solid termination process that revokes access once people leave? Physical security matters too. Make sure the vendor controls access to any facilities housing your information.
Lastly, understand the vendor’s encryption policies. Encryption protects transmission and storage of sensitive information, and is a key component in making sure that you’re not disclosing information to people unnecessarily. It ensures that transmitted information can only be read by the sender and the recipient. Likewise, when data is being stored, it ensures that data can only be accessed by authorized individuals who have the keys to decrypt it. Is the vendor encrypting data at rest to protect information, even when it’s not in use?
4. The vendor’s operational security follows known best practices.
Do they have a good process for taking inventory of their assets? “You can’t protect what you don’t know you have,” says Platt. There should be a clear process for asset management and protection needs determination (i.e., what information needs very high protection and what doesn’t).
Change management is a key aspect here, especially when making system changes or releasing a new feature. Is the asset inventory updated with changes? Do they develop their product in a way that meets security requirements? How do they build security and privacy into new features?
Does a security design process exist? “For instance, we have an automated code review, so that when an engineer writes new code and they check it into our code repository, it automatically gets scanned for security vulnerabilities,” says Platt.
Can they provide backup copies of your information, so that if something happens (such as a ransomware attack), you can always get back to a known good state within a reasonable time frame?
Can they provide an audit trail of who’s actually using your systems? Audit logs can help you detect fraud and make sure there is no unauthorized behavior.
Finally, when issuing a patch to fix a flaw, a process should exist to identify when they’re available, while also making sure those patches are tested to avoid negatively impacting users.
5. They are taking the time to properly vet their partners.
Forty-four percent of data breaches are directly attributed to vendors. This should be reason enough to ensure that your SaaS vendor is taking precautions including legal and privacy agreements. What controls and processes do they have in place?
Third-party security reviews can play a key role here. “Anytime somebody at BetterCloud wants to use a new third-party tool that will have access to confidential or restricted information, our security team takes a review of who that third party is to make sure they have the right controls in place,” says Platt.
6. A clear plan is in place for incident management and business continuity.
No security program is perfect. However, when an organization has a repeatable process in place, it’s possible to manage those incidents without causing additional problems and making things worse. According to Platt, “Repeatable processes help avoid panic by providing an orderly strategy to make sure that everything gets back to a known good state.”
Business continuity is equally important. Are processes in place to make sure services are available when needed? Or when they’re not available, is there a repeatable process to get things back to where the customers need them to be? This could mean hosting the application in multiple zones and data centers to provide needed redundancy. These business continuity efforts make sure that no matter what happens, it’s possible to get the SaaS offering back to where it needs to be.
Final thoughts
Security isn’t a “nice to have.” It’s a necessity.
The decision to embrace security often dictates the health and stability of your organization. As such, you are unnecessarily taking your chances when you go with a vendor who fails to embrace security best practices.
Simply put, you get what you pay for. While free products might be cost effective in the short term, they often lack robust security processes. And no one wants to find themselves in a position where they need to explain that their data (or their customer’s data) was exposed because they selected a free product.
While it may require extra effort to make sure your SaaS vendor is actually doing what they say they do across these key categories, it is critical in order to protect your organization.
Our customers rely on BetterCloud to manage and secure mission-critical SaaS applications and the data inside them. BetterCloud is certified for a number of compliance standards and controls, and undergoes independent third-party audits to test for data safety, privacy, and security. Our security model is an end-to-end process, spanning application authentication and metadata storage, the hosting services that power our software, and employee data management and physical security.