Traditional installed software is hosted and managed internally. Applications run on the customer’s computers and the data is stored on the customer’s infrastructure, which is managed by the organisation’s IT department.
With SaaS, the software is hosted on, and accessed via, the internet. All of the customer’s data is stored on infrastructure within the service provider’s data centre. In some instances, the SaaS vendor will outsource the hosting to a specialist data centre. It is of paramount importance to the customer that data confidentiality, integrity and availability (CIA) is maintained wherever the data is hosted or accessed.
While the SaaS model offers significant advantages over on-premise, it does carry potential risks that must also be considered. The SaaS user needs to know that all possible steps are being taken to safeguard customers data. The SaaS provider needs to reassure customers that their data is in safe hands and can be retrieved in a useable format when required.
SaaS can be a daunting prospect from a security perspective but the issues cannot be ignored. Organisations looking to adopt SaaS applications will need to examine their appetite for risk in the context of their other business drivers and data security requirements applicable to its industry, particularly FSA requirements for regulated financial services business. The potential for the involvement of a number of different organisations in delivering the service brings with it increased loss of control data. SaaS providers will be required to take adequate steps to ensure the protection of client data. For SaaS providers this is mission critical and is generally taken very seriously to the point where data security is as important, if not more so, than the SaaS product itself.
At the moment SaaS vendors have no common security standard to sign up to other than ISQ 27001. This internationally recognised security management standard helps providers implement a security management system in their organisation. However, this standard revolves around a risk assessment carried out by the organisation itself. It is not a guarantee of security, and if your provider has a high appetite for risk, then greater risks to data will remain. The onus is on the customer to assess how safe their information is and to obtain suitable contractual guarantees on the location processing and protection of its data.
Backup and failover
The SaaS vendor should back customer data up at least once a day, preferably more often, and then move and store a backup of that data safely elsewhere, out of their data centre. The length of time that the backup should be stored will depend on the value of the data, and on legal and regulatory requirements applicable to the customers. Should the SaaS vendor’s data centre be destroyed, or simply go off line for a while, there should be another data centre on standby, not with just the replicated data but also the capacity to run the application so that your business is not disrupted.
Communication between your workstations and the system should be encrypted so that data travelling over the public internet cannot be intercepted and read. This is normally done using a technology called SSL (secure socket layer) between your browser and the application.
Customers need to be sure data is not accessed by anybody other than those in your organisation who are authorised to do so, and that the obligations of confidentiality with customers, prospects and suppliers whose details you hold are not breached. A written procedure should cover who in the SaaS vendor’s organisation can access customer data and what they are able to do with it. General safeguards should be in place to protect its security.
Putting it in perspective
Although a reputable SaaS vendor should provide all of the above, it is worth contrasting this with your in-house security and compliance before becoming unnecessarily worried about storing your data outside your organisation. If the server with your in-house system fails then most companies, not having standby facilities, will be without that application for a day or more. Has anyone checked that your backup system is working by attempting to restore the data kept in-house? Are backups taken every few hours? It is widely accepted that most data theft originates from within an organisation, often by disgruntled employees, and most SaaS systems do not hold data locally on laptops that can be left in taxis. For most organisations a reputable SaaS vendor may well protect their data better than that kept in-house.
Finally questions you should ask a SaaS vendor should you wish to end the contract who owns the data? Can you transfer, download to in house servers? Do you have the software to make use of your data? If you move from one vendor to another will the vendor losing the contract assist with transfer? Will your data format be compatible i.e. be in a format the new vendor application recognises?
Next article Legal issues to consider The SaaS business model is relatively new, but most of the legal considerations are well recognised, albeit that some aspects have developed from consumer services, which were far less likely to be challenged by the customers…