Flexera logo
Image: Understand these security protocols when evaluating SaaS

The shift from on-premise software to cloud-based platforms is increasing rapidly. According to a recent report by the Intel Security Group, IT professionals surveyed said that 80% of their budgets will be dedicated to cloud solutions by the end of 2017.

With the shift in platform location comes a shift in security practices as well. Businesses that primarily use cloud applications no longer require the rigorous security protocols involved in supporting on-premise software.

However, that doesn’t mean security protocols have disappeared from the scene. The onus of creating, managing, and updating protocols has simply moved from corporations to the cloud. SaaS customers have a different responsibility now: setting their own security standard for any SaaS platform they purchase, and asking the right questions upfront to verify security measures.

With 36% of the above survey respondents reporting a shortage of cybersecurity skills, the vetting process is in some part handled by non-IT staff. So what are the key questions to ask when considering a SaaS platform’s security measures? Here are a few security protocols to get you started:

Incident Response Plan

A SaaS provider’s incident response plan will give you a solid basis for how seriously the provider takes security issues. It will include sample situations like hacking or data breaches, as well as the order of operations in the event of an incident. What group at the SaaS platform will respond to the incident? How will it be communicated internally and to customers? Who does what as a result of the incident? There should be no doubt in your mind as to what will happen in the event of a major incident.

Notification Procedure

In the event of an incident, SaaS providers should have a notification procedure to alert customers and partners of the situation, and what to expect next. Many providers have a standard notification procedure for the majority of customers and partners. A smaller group of customers may have a custom notification procedure outlined in their contract, as an added method of communication.

Privacy Policy

The privacy policy should clearly outline what information the SaaS provider will capture, what they will do with it, and whether or not it will be shared, and under what circumstances the data might be shared. Any policy should adhere to applicable regulations, like HIPAA for medical information and the Fair Credit Reporting Act (FCRA) for credit purposes.

Third-party Certifications

Certifications are a comprehensive way to show that a SaaS provider meets a set of security requirements, wrapped up in the package of certification. So rather than asking a whole list of questions on security questions, you can ask if SaaS providers have well-known security certificates like SSL, TRUSTe, PCI compliance (including the specific level), the EU/US Privacy Shield, and Service Organization Control (SOC) attestations.

Formal Review of Security Policies

Frequent, regular updates to the overall security policy are an absolute must. A SaaS platform may check all the boxes at the time of purchase, but if they don’t regularly revisit their security policies, they’ll fall behind the curve. Changes in online security happen at lightning speed, so they must demonstrate constant evaluation.

If you’re not in IT and don’t know the appropriate answers to these questions offhand, you might approach it this way: ask your IT staff to help you create a checklist ahead of time. They can give you insight into the optimal answer versus a minimum requirement, and also point out security measures (or lack thereof) that are unacceptable to your business.

And remember: cloud computing companies should take security just as seriously as you do. One highly-publicized data breach or hacking breakthrough could tarnish their reputation for good. If you get the sense that rigorous security measures aren’t a priority, it’s time to move on.