If you take a good look at your SaaS vendor selection process today, is cloud security on your checklist? Or, does your checklist consist of all the shiny features you’d like to have?
The SaaS model makes it easy to sign up and get going—with free trials and integrations with your favorite applications. While it is important to evaluate if the solution solves your business problem, it is just as important to look beyond the core features.
SaaS vendors range from a couple of guys operating out of a garage to full blown enterprises. During the startup phase, the focus is on getting a workable product out to the market with the intent to “shore up” the product when they have a few customers that have kicked the tires.
Unfortunately security ends up taking a backseat. Failure to evaluate security features with these vendors can mean major trouble for businesses, both short term and long term.
As just one example, we’ll use cloud-based RFP software solutions.
Say your SaaS provider has an outage when you have a request for proposal deadline looming. You have no way of retrieving that data, and you don’t have it backed up, because you entrusted your SaaS vendor with everything.
By the time your vendor is up and running again, it’s too late. You missed out on submitting your RFP responses and lost millions of dollars in potential revenue.
Focusing on a tool’s exciting features during SaaS vendor selection is alarmingly common. Enterprise companies will typically bring in their IT department when choosing a SaaS solution, but frequently companies operating with smaller teams miss this important step.
It’s never too late to optimize your vendor selection approach, whether you’re just establishing security measures, or strengthening existing processes.
Here are a few cloud security questions worth asking when you’re evaluating SaaS vendors.
#1 What is your disaster recovery plan?
Most SaaS vendors have a disaster recovery plan, but not all plans are created equal. Some mistakenly believe taking regular backups constitutes disaster recovery.
Make sure your SaaS vendor has a solid plan that covers a recovery timeline, routine testing, and geographic isolation. In other words, if there is a tsunami, is that going to wipe out all of your centers?
#2 What if you go out of business?
Often we think of catastrophic events in the form of natural disasters, but a vendor going out of business can do just as much damage. When comparison shopping, look into business viability and don’t be afraid to ask some tough questions.
If I invest all of my work, data, history into your solution, is that safe? What is your fallback plan? Having access to that data is non-negotiable no matter what happens outside your control.
#3 Do you take my security seriously?
Okay, you don’t have to frame the question that way—instead you can ask if they have a proper security plan. Be careful when a vendor sidesteps security to focus on the shiny features. You don’t ever want security to be an afterthought.
If you find it difficult to know which security features are most important, bring in your IT department for guidance.
The security rundown might include:
- Encrypting data
- Secure data transmission and storage
- Access restrictions
- Secure practices
- Staff training
- Regular monitoring and scanning
#4 Who is responsible?
Accountability is a big one, because you want to know who you are dealing with when a support request spirals into a data mess. Many vendors depend on others, and the finger-pointing can escalate quickly. This is the last thing any business wants to experience when there’s a problem, so be upfront to avoid a surprise down the road.
A storage solution managed entirely by the SaaS vendor is preferable, as mom and pop cloud storage companies can be unreliable. The accountability factor can speed up your selection process in a jiffy if a vendor fumbles over roles and responsibilities.
#5 How scalable is your product?
It is one thing to watch a flawless demo, or run through a proof of concept without a glitch. But can the application withstand what the real world throws at it? Unfortunately, it is tough to know the answer to this until the real world happens.
For example, if one of the other clients of the service provider executes a huge project, is that going to negatively impact security? It is smart—and absolutely appropriate—to inquire about how well the vendor can scale their product to meet demands, and how quickly those demand will be met.
Finding the right SaaS vendor should never be taken lightly, so always think of it as a collaborative decision.
While these questions will cover your cloud security bases, if you can, get your IT person involved in the process too. If you are unable to engage your IT department in vendor selection, you can still take these steps to ensure the vendor has a solid security footing.
What cloud security questions do you ask when you’re selecting a SaaS vendor?