In recent years, software-as-a-service (SaaS) has emerged as a viable application delivery method, and most enterprises are now including some SaaS software in their portfolios. SaaS saves IT infrastructure and maintenance costs, not to mention the hassle of initial deployment, integration and customization common with licensed software.
However, SaaS brings with it a unique set of challenges for those responsible for security. The most important shift is looking at your software vendor not as a product company, but rather as a service provider. Sound vendor management practices dictate that any third-party software is at least as secure as in-house packages. This guide will help you compare your organization's risk management and compliance priorities to the SaaS provider's security policies and procedures.
When you convert to SaaS, your data will be transported across the Internet to the SaaS vendor site. If their application is not secure, your critical business information will potentially be exposed to anyone who can take advantage of such a vulnerability.
Unfortunately, some SaaS vendors who become aware of a security flaw in their service may not immediately patch it. If a security fix can be made on their server without a client patch being necessary, some vendors may never alert you that there was a problem at all.
Of course, many SaaS providers rise to the challenges of providing secure and reliable cloud-based services. However, as the person responsible for the security of your enterprise data, you need more than faith as assurance that they will follow through on their best intentions.
The checklist when negotiating terms with a SaaS vendor should include:
Finally, you need to remember that software is secure only when it's built that way, so when choosing a sound SaaS solution, be sure that the security has been checked for all vulnerabilities so that it's secure for all of today's distributed software portfolios.