In the last two posts, I covered considerations to be made in
In this post I will go into the governance controls you should include in your evaluation checklist of a SaaS vendor.
In this day and age of increasing governance and regulatory compliance mandates, the evaluation of your abilities to support the governance requirements, audits are always tested. With SaaS applications in your portfolio it assumes a higher degree of importance.
SaaS can really help the cause when it comes governance, if sufficient legwork is done upfront. On the one-hand, having SaaS application in your IT portfolio relieves you of some of your IT responsibilities. The vendor assumes responsibility of the upgrades, patching, backups, recovery. The fact that the application is outside the realms of your IT boundaries also means that it is out of the reach of all the unauthorized employees. That said, the data sits in a remote data center with employees from the SaaS vendor accessing it and you have scant visibility.
Governance Controls
So here are some governance checks to be done as part of your evaluation of the SaaS vendor
- Access Control: Considering that the application is hosted by the vendor, by definition, your team will not have access to the technology infrastructure. Check the policies the vendor has in terms who accesses the data center and how secure it is. Also check who in the vendor team has access to the application. The application should provide an audit trail of every time some one accessing the application.
- Security: Evaluate the various aspects of security in the product. Starting with
- password encryption,
- application security model (data and role-based),
- encryption of data at rest and in-transit
- Security on the servers (the access, configurations, logs)
- Data center security
- Physical premise security
- Data Separation: One of the biggest mental hurdles companies have in adopting SaaS is the fact that their data resides outside their control and the fear that it might be within the reach of wrong people. While the former is true it is no different than having your personal online bank or brokerage account. When you combine that with the fact that your data could be co-mingled with that of your competitor makes customers that much more finicky. SaaS companies should be able to share with you the policies used for data segregation and architecture used to implement it. With technologies like Virtual Private Databases (VPD), separate databases-shared-code models would be underpinning their multi-tenancy architecture. Around privacy, have your security experts verify that none of the customer/tenant information like ID, code in URLs, hidden variables are exposed in the user interface. They could provide access to data you should not be seeing.
- Change Management is one of the critical things to evaluate in a SaaS provider to gauge the maturity of the vendor. Most vendors begin with ad-hoc processes and institute mature governance processes as the company grows. As part of the evaluation process insist on reviewing the following
- Change Management policy document
- Change Log from a change effected
- Communication of changes to customers.
- SOX, SAS-70, PCI-DSS, HIPAA, GLBA: Managing information, access and usage across the entire on-premise IT portfolio is a challenge enough. With SaaS, it becomes a little more challenging. You store information regarding assets, leases, contracts, employees, payments, vendors, to name a few, in a database outside your firewall maintained on infrastructure managed by third party. That is enough to give sleepless nights to any CIO/VP of IT. So to give yourself assurance that your data is being accessed by authorized people, ensure the application provides ability to capture and review audit trails. The ability to generate reports on the access log, audit trails should be a critical part for you to close the sale. If you see shortcomings in these areas and get commitments for those features in the product – tie milestones and payments to that feature delivery.
- Intrusion Detection: With more applications being deployed on the internet, Intrusion Detection Systems have become a quintessential part of any IT infrastructure. In a SaaS world it assumes a larger importance. Given that the infrastructure is hosted by a third party, it is critical you insist on an implementation of a IDS and follow-up process to proactively check for potential areas of vulnerability. A standing process for regular inspection of the servers, routers, hardware for “hardening” is something you should ensure.
- Disaster Recovery: Most vendors, to begin with, will not have Disaster Recovery. With competing priorities, budget constraints it is bound get tougher to spend on DR. But this is something you should ensure your vendor can support. Pay attention to the RPO and RTO commitments and the location of the DR site. Having two DR sites in the same electric grid (or fault line in SF Bay Area) does not really amount to a effective Disaster Recovery plan. If not available, capture that in the contract as a necessary milestone that will be measured for payments, renewals.
- Availability: While going with a SaaS solution relieves you of the active maintenance of the Application, the availability of it will still be your ultimate responsibility. Ideally, the vendor should have and share monitoring reports to support the conformance to SLA. Some vendors even share this information publicly on their site.
- Scheduled Maintenance: Pay special attention to the schedule downtime windows that might be defined on the contract. Most vendors have weekly maintenance windows that require the application to be down for the part/majority of the weekends. While that in itself is not a problem for most parts of the year, don’t forget to identify blacklists for certain weekends like month ends, quarter ends, year ends so you can do what is necessary for the book closing activities in your company.
- Data Portability: One of the allures of SaaS is that there is no large upfront investment so if things don’t work per your needs or satisfaction, you can cancel the contract and move to another vendor. And the SaaS vendor themselves would tell you this to convince you and close the sale. While SaaS does provide you with quick ramp up option, getting your data back, if and when you choose to move away from a SaaS solution, is altogether a different proposition. If the SaaS vendor is a multi-tenancy based solution, sharing a single database, it will be even more tougher. So I recommend incorporating terms in the contract to ensure you have the data ownership in the event of termination without breaking the bank. You will have to pay some professional services but it should be reasonable. If you are lucky besides the snapshot of the data you should also be able to get copies of log files, audit trails, application access logs for you to be able to support regulatory compliance mandates.
- Data Retention: There are two things you need to cover in Data Retention.
- While you are still a customer, you would want to ensure your SaaS vendor has the necessary retention policies to retain the essential information log files, audit trails, historic transaction data in the application to support your regulatory compliance obligations.
- When you cease to be a customer and you have canceled the contract and reclaimed your data, you should make sure the vendor does not retain your data and risk exposing your company in any potential data leaks in future.
Incorporating a stringent SLA goes a long way in acheiving all these things once you adopt a SaaS solution.
Hope this helps you in your efforts to conduct a effective RFP process to procure a SaaS solution. SaaS is a big change happening in the technology arena and we are still in the first innings. There are at least 8 more to go.
Download the entire SaaS Buyer Guide (PDF 169KB)