What Is SaaS?
Over the past five years, Software as a Service (SaaS) products saw steady growth. Their increasing rate of adoption and innovation is exciting but can also serve as a cause for concern. SaaS products range from widely spread and universally helpful products like Gmail, Microsoft Word, or Zoom to more niche products like the Adobe Creative Cloud, Salesforce, or Quickbooks.
SaaS products revolutionized business practices. But, as with any business operation, risks exist. Make sure you can spot them. SaaS is a method of delivering software that allows you to access your data from any device with an Internet connection and web browser.
Instead of installing software on the hard drive of your computer or laptop, it’s now customary to pay a monthly or yearly licensing fee and access the service/product through the internet. Seven years ago, SaaS was less common but today it is a routine way to deliver software. As you evaluate different SaaS vendors to meet your business needs, you’ve likely thought about cost and functionality. But there are other important considerations that might not have occurred to you. Be sure to review the terms of service (“TOS”) or license agreement and be on the lookout for these issues:
4 SaaS Security Best Practices
1. Who Owns The Data?
Small business owners often rely on SaaS to operate their companies. Over time, substantial amounts of mission-critical and sensitive data become stored in the SaaS products they’re using. The TOS should address who owns your data (hint: it should be you). Also, the TOS should set forth when you can export or locally back up data and address your access to your data if the vendor fails.
Ensuring that you own the data you put into the software is SaaS security best practice number one.
2. Who Owns The Server?
SaaS providers may not own the servers they use to provide their product and that’s not necessarily bad news. The question is, who does? If the TOS merely references “hosting partners” or “third-party systems” with no transparency as to who those partners are, then you should be aware that your data may be held in off-shore jurisdictions where U.S. laws and customary practices do not apply.
Also, TOS with vague descriptions of hosting partners allows the SaaS vendor significant latitude in when, how, and whether to change their hosting partners. The vendor may host your data with partner A today, partner B next month, and partner C next quarter. You will have no control over this and, potentially, no notice either.
Knowing where your data and servers are physically located is SaaS security best practice number two.
3. Does the Vendor Encrypt Your Data?
I recently reviewed TOS for a client who has invested significant time, energy, and money in moving all business operations into one SaaS platform. It was a significant accomplishment that allowed greater business efficiency and streamlined operations. However, the vendor she chose created significant risks for her business. Tucked into the TOS was noticed that the SaaS vendor uses “hosting partners” and may transfer her data from one server to another at any time. But what really raised the hair on the back of my neck was this:
“your content may be transferred unencrypted. . . .”
That means the SaaS vendor is likely using off-shore servers that it can swap out at will and that it moves my client’s data from server to server without encrypting it. Encryption is easy and inexpensive — failing to encrypt data is a shockingly cavalier practice.
Pause for a moment and consider the sensitive information your company’s databases likely contain: client names, addresses, phone numbers. Maybe birthdates. Credit card numbers? That’s enough to keep me awake at night. If she had asked me to review the TOS before she committed to using this vendor, I would have told her to look elsewhere because the risks are too high. And that brings me to my next point . . .
Knowing the details on encryption is SaaS security best practice number three.
4. Who is Liable?
It’s perfectly normal for a vendor to disclaim liability for any damages resulting from a breach. If the vendor was my client, that’s how I’d draft it. However, you should prepare and carefully consider the scope of the disclaimer. In the example above, the scope of the vendor’s TOS disclaimer was so broad that even if the vendor knew of damage it would not be liable.
Essentially, the vendor has no responsibility if the service failed, hackers stole or altered my client’s data, or my client had to purchase back-up software. Whether to accept a scope this broad is a business decision. Just recognize that you have to protect your business from the risks this creates by creating a robust plan for responding to a data breach and purchasing cybersecurity insurance.
Understanding liability risks is the fourth and final SaaS security best practice.
We all rely on SaaS products to run our businesses. There is no avoiding it. Like any business decision, you simply must understand the risks that lurk in the different products you’re considering. TOS can be difficult to read and understand – they’re drafted by lawyers, after all. If you’re struggling to figure out what the terms in the TOS really mean, contact us. It’s what we do every day.
Also, Check out our short video series on SaaS products!
We also have plenty of blog posts about data privacy and cybersecurity.