Cyber security is a simple subject for discussion. It might be even simpler to implement an organizational cyber security policy, specially when you have your own infrastructure that you can manage.
However, when it comes to Software as a Service (SaaS), this simple problem becomes a complicated mess. That is, if your SaaS vendor is not clear about their cybersecurity policies. So before making a purchase decision, I recommend you to evaluate the vendors based on their ability to address security as well.
Let’s see what questions arise from security perspective:
- Confidentiality – data stored within organization can be controlled by access control systems like Active Directory, LDAP, etc. Also, data at rest can be encrypted. Does your SaaS vendor store your data in encrypted form? Also, can employees of the SaaS vendor access your data in some way?
- Integrity – data integrity means, your data is virtually indestructible, unless you delete it yourself. If you remember the GitHub mishap, you will know what I am talking about. In SaaS you are accessing the data via web interface. However, it is possible that there is network disconnection because of which your transaction might not be saved completely. Does the SaaS provider have capability to restore data from a backup or roll back transactions?
- Availability – In SaaS, you are dependent on a vendor to access not just the data, but also the service to process the data. Most SaaS vendors store data in proprietary format, making it tough to manage it offline (or to move to another provider). Also if the vendor’s servers are down or too busy to serve requests, you will be unable to access the service when you want. What is the expected downtime from vendor? Will the vendor inform prior in advance, for any downtime due to maintenance or upgrades? Will the vendor sign a service level agreement? Can it be possible to get a dedicated instance of the service so that even when vendor’s SaaS platform is down, we are unaffected?
With these points, we have just scratched the surface of security questions you need to ask your SaaS vendor. There can be many other questions like, is the vendor performing Vulnerability Assessment and Penetration Testing of their software/network infrastructure. There can be questions related to regulatory compliance e.g. if vendor is providing payment solutions, is it certified by local payment compliance? But the questions we have discussed above are very basic and general in nature and can be applied to SaaS vendor of any form.
Finally, if you choose to host the software on your server instead of relying on a SaaS vendor, you are responsible for securing your own server.