SaaS Solutions & Security – Don’t fear the unknown
When choosing a SaaS solution for your business – beyond being functionally compliant with your requirements – the solution needs to be security compliant, and some would argue that you need to lead with security by design as a key development principle.
The challenge that many organisations face in pursuing a SaaS solution for their business is they ‘don’t know what they don’t know’. In some cases the resistance to utilising a cloud-based service or product is just fear of this unknown – yet in others, the feeling of insecurity is well founded. There are many publicised examples of data breaches, which will always cause great concern – and rightly so. In almost all of these cases, penalties are imposed and remedial action occurs; however, the scars remain and the reverberation of the impact through the SaaS industry takes a long time to settle down.
You may have heard similar lines as; ‘It’s easier to control the flow of information in the 4 walls of the building, so that’s the way it needs to stay’. This is regardless of the fact that this practice is highly likely to be inhibiting the growth of your company and over the years leaves you reliant on deprecated software solutions, that can’t be easily upgraded, modified or integrated to, in order to deliver efficiencies. Also, unless your business is disconnected from the internet or external systems completely, it’s likely you face the same security issues anyway.
The role of security teams has shifted in a very short space of time – from the days of password compliance, firewall rules and identity access management – to a new world with a significantly increased attack surface. My focus for this article is related to cloud software, although it’s important to acknowledge this area represents one cog in a large and complex mechanism of risks to be managed by the IT security team of today.
The modern workplace now requires a proliferation of access that extends beyond the 4 walls of the building. Access via smart devices from any location in the world, email in the cloud, software in the cloud and cloud vendors talking and integrating with one another – without the need to be coming back into your organisation for ongoing support from your resources.
To support the growing need for these externally supported functions, there are now a growing range of compliance requirements across the globe for organisations handling data. There is GDPR in Europe, CISA in the United States, and the local Australian Signals Directorate to name just a few. There are frameworks such as NIST (National Institute of Standards and Technology) that are increasingly being utilised as well.
As a business leader, you do not want to repress your businesses growth, but at the same time you want to ensure compliance and adherence to both policy and best practice. Each business and its requirements are different, however there are a few foundational steps to get started with:
How can you approach this at your business?
IT Security Team – start with this area. What are the company policies and frameworks in place for engaging a SaaS vendor? If there aren’t any, this potentially is the genesis for establishing a robust approach. Consider going back to the SaaS vendor and asking for best practice in their other clients – a good ‘partner vendor’ will be able to assist you in either establishing these from scratch or reviewing and improving your existing works.
Architecture – What’s in place today by way of other products in the business where precedent could be drawn from? Again, it is in the interest of the SaaS vendor to support these conversations and many will have previously had this conversation, therefore be able to assist.
Data Classification – Has the exercise of data classification been undertaken in your business. Is there policy for: data that needs to reside within the business; sources of truth; updating data; sanitising data and de-identifying data; handling customer data versus asset data?
Do you understand the impacts of ‘data sovereignty’ and the implications of this to your business? Many of our customers operate in a regulatory environment where requirements for SaaS vendors to store data onshore may also be mandated. For the Australian market, further compliance with bodies such as the Foreign Investment Review Board (FIRB) exist to ensure sovereignty and could be applicable.
While these can seem daunting as a business user, leading with the security question and early engagement of the IT Security team in the selection of a SaaS solution can save a lot of headaches later.
How can you approach this with your potential SaaS vendor?
A good starting point is to investigate their website. Are they transparent with security information online? Have they provided enough information for you to point your IT Security team to the appropriate page so they can draw a level of confidence in both vendor and solution?
If you have selected a preferred SaaS solution, here are some starting points to ask your vendor about the product itself:
- Where is data stored?
- What logging is available for data changes?
- What alerting is built in for data changes?
- How is data accessed via third parties and what measures are in place to manage/monitor this?
- How is user access managed and what measures are in place such as Multi Factor Authentication (MFA), to mitigate against unauthorised access?
- What permissions exist within the product to restrict access to data or modules?
- How do you version control your data?
- How is your data encrypted at rest and in flight?
- Where are your development and support teams located and what access controls are in place?
While the considerations and questions above will give you a lot to think about internally, and discuss with a potential SaaS provider – the topic of SaaS security is much larger than can be fully addressed in this (or any) post, with the above content intended to provide a flavour.
Don’t let the unknown (or the fear of it) impact the ability of your business to grow, adapt and overcome. The nature of the modern business world is that Darwinism is a very real impact on any organisation’s success and longevity. Any business that heeds advice that recommends ‘doing things as we always have’ is running a real risk of irrelevance over time. Get educated and informed regarding SaaS solutions – and the security implications to your business – and then make an informed decision regarding the opportunities presented by them.
Across our customer base, both ‘SaaS acceptance’ and security by design are more prevalent as focus areas in larger organisations – and we have built our solutions accordingly. This, of course, means our smaller customers benefit from the inherit framework and policy compliance, and can learn from the challenges we have already faced and overcome. Feel free to talk to us about your current challenges, and how the IOP may be able to help you remain relevant, successful….and compliant – as an industry leading SaaS vendor, we take this seriously.
Collaboration in your organisation can start today with a tactical but strategically scalable solution, the Intelligent Operations Platform (IOP) from Dusk Mobile. The IOP is an industry leading collaborative work management platform. It connects your staff on any device, any time and in any location. Integrate your favourite products quickly and easily for real time collaboration amongst your teams.
Automating work functions and delivering a connected experience has never been easier and achieving productivity improvements can start tomorrow.
A great Program management tool will provide a customer with an easy way to build automation into their daily work management processes. The creation and management of these should always be via a user-friendly (and ’No Code’) interface – allowing the business users to maintain and evolve the automation without the need for additional IT or development costs.
Avoid solutions that increase support overheads on your IT department to maintain them, or (worse still) embed a dependency on the provider to deliver ongoing additional professional services to continue servicing your evolving needs’.
So how do you get started? Speak to the team at Dusk about our experience in delivering our collaborative work management SaaS solution to your business. Using bite size deliverables and incremental change, your business can transform progressively. Clean, secure integration with a polished user interface to design and build your baseline quickly.
This leads to improved productivity and visibility for your workforce. Connect to your existing systems to create an all of customer view that can be shared between all authorised parties.
If you’d like to find out more on visibility, consistent messaging, workflows, automation with project management and easy integration for your teams or business, get in touch today with our friendly team.
Any questions: Our community is here to help in the Support & Updates area!
Try a 30 day free trial of our Intelligent Operations Platform and start seeing the benefits of automated workflows, informed decision making and a single, comprehensive view of your business in real time. Start collaborating today.
Start your free trial today
Not sure where to start? Request a demo from our team via the link:
Request a Demo
Or you just have some questions: