Corporate around the world are working on innovative ideas and building web based applications as they provide flexibility, low maintainability cost, rich functionality and adds up the benefits of its own. Companies offering services are also major player and they will stay in the market for very long time (as per survey).
Software as a service (SaaS), in particular, is playing out pretty well in today’s economy, according to IDC, which predicts the sector will see a 36 to 40 per cent growth in 2009.
Yet many organizations, especially at the enterprise level, worry about offloading corporate data to a third-party vendor. Will security risks increase? What happens when reliability begins to suffer? How can they access critical data/systems during an outage? These are valid questions, but many experts actually think that your data is safest with a credible third-party whose business in effect is (or should be) managing the security and reliability of data across many customers. After all, if a vendor screws up, it will lose revenue, customers and market share in a heartbeat.
Still, due diligence is imperative for any SaaS implementation. Here are 10 risk administering factors to consider when offering web-based software to your employees.
1: Identify a low-penalty area of the business to serve as your first SaaS project
The first time you enter an arrangement with a vendor to host software and data for you, avoid outsourcing a highly visible area of your business. If HR is not strategic to profits that might be one place to start. Save the high-stakes CRM project for later, when you have learned a few best practices.
2: Assess your risk
Before you can come up with metrics and other requirements for vendors, you need to determine exactly which business and IT priorities of the data/system you want to outsource and what will be the fallout of any sort of breach or data loss. How do your internal requirements for encryption, network security, privacy, disaster recovery, auditing and monitoring align with the services provided by the vendors under consideration?
3: Choose vendors carefully
I would recommend you to select vendors with a long track record of providing web-based software and services. You may have to pay more for established vendors, but doing so will likely lower your risk. Let someone else do the thinking (and risk) ahead of you.
4: Do a deep dive on your SaaS vendor’s security infrastructure and approach
It’s not out of the question to request a third-party audit of the company’s security systems and policies. What security certifications does it hold? Is the company compliant with any relevant industry regulations, such as PCI DSS for credit card transactions? Following is a checklist you can use:
- How and where data encryption is used (for instance, on backups as well?)
- The quality of the network defenses in the data center
- How authentication and secure connections are handled
- The use of data loss protection (DLP) technology
- The question of multi-tenancy, since you’ll be sharing computing resources with other customers
5: Ask how your vendor handles disaster recovery
What protections will you have from your vendor in case of an outage due to system failure or natural disaster? Will you have offline access to the data? You can, for instance, ask your vendor if there’s a way to periodically store data into an on-premise system just for that purpose.
6: Get it in writing
Involve business and IT colleagues, client references of the vendor, your legal department, and whomever else might be helpful to ensure that you have an airtight contract. The document should cover not only financial terms but included services, performance metrics, and reliability and security provisions. How much uptime do you need and what does the vendor agree to do if they miss it? This could come in the form of fees, credits or other creative paybacks.
7: Get chummy with your vendors
It goes without saying that you want a collegial not an adversarial relationship with your SaaS vendor. After all, they’re there to help your business grow and be more flexible, so think of them as a strategic business partner. Meet frequently to go over the metrics and to discuss how to improve experiences for your employees and external customers that may interface with the system. Now that you have freed up time of internal IT staff members who used to work on implementations and maintenance, dedicate at least one individual to managing this critical relationship.
8: Look out for new monitoring tools
Many businesses, as they grow in size, install system monitoring tools that keep an ever-present eye on networks, PCs and applications for any abnormalities such as viruses, inappropriate access or performance lags. Increasingly, such tools will include scanners that can also test web applications for vulnerabilities.
9: Consider the help of a security consultant
Unless security is an area of expertise in your group, an outside consultant can help make sure that you are asking all the right questions and not overlooking any important technical details. Information security consultant suggests asking questions such as whether your vendor can support your e-discovery requirements and how authentication is handled.
10: Devise a PR and response strategy
Regardless of how vigilant you are in selecting and managing vendors, there is always the chance that a security breach or data loss will happen anyway. Rest assured: the media and angry customers will be coming to you, not your vendors. Put together a plan stating which employers will be on your response team and what actions should occur in what order. Make sure you have a capable media relations expert on hand to help work responsibly and cordially with media inquiries. Withholding information should be avoided as more transparency means happy customers and stakes holders.
If you’ve got any thoughts, comments or suggestions for things we could add, leave a comment! Also please Subscribe to our RSS for latest tips, tricks and examples on cutting edge stuff.