My, how times change. It seems like only yesterday I was testing to see if my COVID was going away. Wait, that was yesterday. (I feel much better now, thanks.) We were asked recently to weigh in on whether a SaaS (Software-as-a-Service) provider was serious about security. The provider? Evernote. Remember them?
Do you remember, in the years before we would all be trading sourdough bread recipes, when we first started moving to the cloud? Most of us started with email. We subscribed to Microsoft or Google, in part because we knew they were serious about security.
As the years passed, we liked our cloud email arrangement and started looking for other applications we could move to the cloud. Payroll, expense reporting, time tracking, hiring, document storage, note-taking and more. What we considered novel back then we see as commonplace today. We have relocated much of our digital landscape to the cloud.
Along the way, we learned another lesson. We must continue to be serious about security. We cannot outsource security management. At least, not completely. Why? Because security matters across our entire network. (See: Zero Trust.)
Is Security Integral to Your SaaS Provider?
There is another reason why we learned to be serious about security. Because SaaS providers did not always build security into their services. We started seeing news reports about security breaches. The Node.js vulnerability showed us that we could not take open-source software security for granted.
When I worked in Product Management for a SaaS provider, a colleague who ran the service delivery network took me aside early on. He implored me to be serious about security. He told me that security is not something you bolt onto a service. You must consider security at every level as you build out the service. It was a valuable lesson.
Early in the era of Bring Your Own Device and Bring Your Own Apps, SaaS providers focused on two things.
- Customer acquisition.
- Customer adoption.
People talked about “reducing friction” related to the purchase process. They talked about going directly to consumers (and bypassing IT). Do you know what they did not talk about? Security.
Why be serious about security? That only mattered to IT. Besides, making an application more secure usually meant making it more difficult to use. And providers were all about reducing friction, remember?
What resulted were applications that lacked security entirely, or that left security decisions to the user.
Look for Signs That Your SaaS Provider is Serious About Security
Fast forward to today. We want to run our applications in the cloud. However, we know being secure means more than just where an application is hosted. We need to know that the SaaS provider is serious about security. How can we discern that?
Sometimes it is easy. The provider will tell you they are serious about security. They will list various security standards (NIST, SOC, FedRAMP, etc.) and describe in detail how they comply with those standards. This is a good place to start when you want to confirm that your SaaS provider is serious about security.
In other cases, you must dig a little deeper to judge whether a provider is serious about security. Here are some clues to look for.
- Does the provider talk about how they build security into their software development process? Is there a DevSecOps (software development security operations) team? Do code reviews include security considerations?
- Has the provider suffered security breaches before? How did they respond to the breaches? What did they do to ensure customer data was not compromised? How did the provider change their procedures in response to the breach?
- A provider who is serious about security will encrypt your data. In transit and at rest. Using industry-standard encryption protocols.
- Check to see if the provider hosts your data on its own servers or via a public cloud provider. Think Amazon, Google, Microsoft.
- Does your provider back up your data regularly?
- What do your peers say? Do they have evidence that the provider is serious about security?
You Have the Power to Choose
Happily, there is a competitive market out there for any SaaS application you might consider. Look for service providers that can show you they are serious about security. You cannot specify how service providers deliver a secure service. That is a good thing. That is the headache you outsourced in the first place. However, you can vote with your budget. Choose providers who show they are serious about security.
Trust me. They will notice.