Editor’s Note: Though it was first published in August 2018, the tips about choosing a secure SaaS provider shared in this post are still relevant today. We wanted to share it again for those who missed it.
Choosing—and remaining confident with—Software as a Service (SaaS) hinges on trust. Building that trust begins with asking the right questions.
That said, you may not be sure which questions to ask, especially when it comes to security. You’re pursuing a SaaS option so you don’t have to worry about the nitty gritty of security checks and balances yourself, right? The experts are going to do that for you. But that doesn’t mean that some education isn’t in order before you dive into life in the cloud.
Here are a few questions to help get your next conversations with a potential SaaS provider started.
1. How much focus do you put into your compliance credentials?
A good starting point for understanding any SaaS provider’s security qualifications is asking which compliance standards their technology meets. The SaaS company likely relies on a cloud computing platform, such as Microsoft Azure, to ultimately house their product. Odds are good that this platform has a handful of compliance achievements to their name.
For example, we built RelativityOne on Microsoft Azure to take advantage of its embedded security and privacy. Azure is trusted by more than 90 percent of the Fortune 500, and meets a broad set of international and industry-specific compliance standards, such as: ISO 27001, HIPAA, FedRAMP, SOC: Type 1 & 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS.
However, it’s also important to know whether the SaaS provider has pursued similar certifications on their own. As the developers of the software that’s managing your data—and as the e-discovery experts who are building solutions to support your specific needs—it’s critical that they’re writing, delivering, and monitoring that software with security in mind, continuously improving their product to thwart emerging threats.
2. How often do you perform penetration tests?
Penetration tests, also known as pen tests, are simulated attacks on a system. They are performed by authorized experts to evaluate that system’s security and identify vulnerabilities, making them an important component of a proactive cybersecurity strategy. After all, it’s better to have your own team finding any weak points before an adversary can do it.
You’ll want to understand your SaaS provider’s approach so you can have peace of mind in how your data is being protected. The goal is that these things simply happen in the background and don’t require any of your attention.
3. Is data in your platform encrypted both in transit (while it’s moving between users and servers) and at rest (when it’s stored in the cloud)?
A secure SaaS offering isn’t just about protecting data where it sits in the cloud—it’s about protecting it in motion, too. When your team is performing actions and moving data from user to server and back again, you want to make sure it isn’t vulnerable as it’s traversing those paths.
A cloud provider’s security structure should protect data where it rests—such as Azure’s Storage Service Encryption—while SSL, TLS, and HTTPS protocols will protect it as it travels. Make sure your SaaS provider has both layers of protection in place.
4. Who will have access to my data in your platform?
When you’re relying on SaaS, you’re relying on the team behind it keeping your environment up and running. Ask your provider who will have access to what data, and when. They should require your explicit authorization for access to your production environment, and any data stored for their purposes should be purged as soon as it’s no longer required. Backup data will require different types of access as well; actions should be audited and appropriately authorized at all times.
5. What types of information about my environment would be logged, and how long are logs available?
Good maintenance and business insight requires logging. What might be captured in those logs varies from infrastructure performance metrics to user actions, and the historical information will assist in monitoring the health of a cloud environment, make e-discovery processes more defensible, and evaluate what’s working and what isn’t.
Before investing in SaaS, you should know what to expect in terms of what types of information your team—as well as your SaaS provider’s team—will have access to, and for how long.
6. What is your incident response plan?
In the event of a security incident, you’ll want your SaaS provider to have a level head, a capable team ready to respond quickly, and an effective communication strategy. Ask your provider how they monitor for and flag incidents, and whether they have documented procedures for addressing them as they happen.
One good indication of readiness is their approach to tabletop exercises, in which their team gets together to discuss their response to a hypothetical incident, refamiliarize themselves with procedures, and identify any needs for adjustment. Conducting these exercises regularly is a good way for any security team to keep their policies fresh and top-of-mind, so make sure your SaaS provider uses them.