Software-as-a-service (SaaS) is a highly-scalable and cost-effective solution for software deployment, which offers huge potential to deliver high value services for end-user organizations. Although SaaS has certainly proven itself as the future of software deployment, some companies still hesitate to choose a cloud-based solution for their treasury management for security reasons. When implemented correctly, SaaS is as secure as, if not more secure than server-installed software. However, as with any technology roll-out, you need to ensure that your vendors and partners implement the most stringent security standards.
In this post, I would like to give you some tips about some of the main security questions you should ask before choosing your SaaS solution providers.
Will my data be well managed?
First of all, the main key to creating a highly secure system is to define a human process including checkpoints and periodic audits. It is what is proposed by SOC/SSAE16 audit standards.
The Statement on Standards for Attestation Engagements (SSAE) No.16 (formerly SAS70) is the first step for a third party organization to be compliant with AICPA’s auditing standards. An audit conducted under SSAE16 will result in a Service Organization Control (SOC) 1 report. SOC1 reports focus only on controls at a service organization (like a SaaS provider) which could be involved in the audit of a customer’s financial statement. In other words, SOC 1 is focused on financial services providers.
There are two types of SOC 1 reports :
- The SSAE 16 type 1 report is an independent third-party opinion on the service provider organization and activities.
- The SSAE 16 type 2 report: from the type1 report, auditors and the company will define control criteria and objectives. After that, the service provider will be audited and will have to provide the proof of the achievement of the control objectives at any given day of the year.
This audit process is an important investment for SaaS providers but also for their suppliers. All the processes and the control points have to be documented. This is the minimum requirement to build a confident relationship with your treasury management system provider.
In addition, it is becoming more and more common to request a SOC 2 report. Indeed, if a SOC 1 report provides information and assurance relating to the financial control environment, a SOC 2 report is focused on five principles: security, availability, processing integrity, confidentiality and privacy. These points are critical for today’s companies, but they could be already partially controlled in the SOC 1 report.
If your SaaS provider has been audited, it should be able to provide you a copy of the SSAE/SOC reports under NDA (because this document contains a very detailed description of the organization).
As well as providing a level of comfort in its own right, SSAE/SOC audit certification gives a distinct advantage to SaaS solutions over over on-premise software providers, as there is no audit for legacy vendors’ security processes and their development processes. SSAE/SOC delivers a high level of assurance of transparency for the client.
Will my services always be available?
The first important information you should ask your SaaS provider is “Where is my data located?” This question is important to determine if your confidential data is protected by the legal framework of the host country. If you are a European company, your data should be hosted in Europe and if you are an American company, your data should be hosted in the U.S.
Then, another important question is to define if your services will be available and as well protected as in your own servers?
To protect you, you’ll need to define the best contractual indicators which are the Service Level Agreement (SLA), the Recovery Point Objectives (RPO) and the Recovery Time Objectives (RTO).
- The SLA defines the availability time of the services. Today, the professional standard SLA is at least 99.9% (like Google’s services), i.e. 8.76 hours per year, 43.8 minutes per month, 10.1 minutes per week (except for usual maintenance)
- The RPO is the amount of acceptable data loss and the point to which the data must be restored. Today, the professional standard RPO is no more than 30 minutes
- The RTO is the amount of time it takes to be available again for clients. Today, the standard RTO is no more than four hours
These indicators have to be checked for all your strategic SaaS solutions.
There are also important questions you need to ask:
- If your service provider is renting its servers or doesn’t operate them directly, are its suppliers bound by contract to the same commitments? What other companies use your vendor’s hosting provider?
- If you decided to choose an on-premise solution, are you sure your information system equipment complies with these standards?
Certain SaaS providers achieve very high service quality (SLA, RTO, RPO) by using an active/active backup configuration in their datacenter. It means each server is duplicated using a fiber connection. In this backup configuration, servers from data center A are duplicated on a second infrastructure into the datacenter A and at the same time to data center B. The same operation is done with data center B to data center A.
As you can imagine, these advanced technologies represent a huge investment and it’s very difficult for a single company to develop this quality of services for economic reasons.
Will my services be secure?
For me, the previous questions are part of this final question. But it’s important for you to check some important commitments :
Your strategic SaaS solution has to offer you strong authentication features. Today, the common standards are dual factor authentications. In this case, the service can enroll a second authentication phase involving a “one time password” (OTP) mechanism which is generated by the service provider and can be done through various means, including SMS or USB tokens (such as the Yubikey which is tested by Google).
Your software provider has to be equipped with a firewall, which should include at least an intrusion prevention system. This feature detects malicious activities and blocks them automatically. The Gartner Magic Quadrant for network firewalls provides useful information on which may be the most suitable for your needs.
The best assurance of service security requires vulnerability assessments and intrusion audits. Your service provider has to be audited at least once a year by a best-in-class company. You can find an overview of service providers in this space in the Gartner Marketscope for Vulnerability assessment.
To conclude, there are a lot of other technical features to be considered like the encryption of the connection (SSL protocol) or multi-tier architectures but I just wanted like to give you an overview of the main security tips. Feel free to contact me if you would like information on other features.