14 Security-Focused Questions Companies Should Ask Their SaaS Vendors
Forbes Technology Council – September 27, 2022
Software as a service has become big business: According to one industry study, 99% of companies were using one or more SaaS solutions by the end of 2021. Tapping into the wide range of SaaS products can certainly save companies money and time and boost their productivity. However, it’s essential for companies to think about more than the budget when shopping for SaaS solutions. An equally important consideration is whether your chosen SaaS vendor(s) can protect your and your customers’ sensitive data.
Any company’s security posture is only as strong as its weakest link, so it’s essential for companies to carefully vet any SaaS vendors they’re considering partnering with. Below, 14 members of Forbes Technology Council share security questions business owners should ask all potential SaaS partners and why their answers are so important.
1. ‘How do you align with our unique security needs?’
A SaaS vendor should be asked, “How do you align with our unique security needs?” These needs may include a zero-trust model, data loss prevention, data governance and so on. When vetting a SaaS vendor, look for one that supports encrypting data at rest, in transit and in use with encryption keys; prevents accidental sharing of sensitive data; follows least-privileged access standards; audits data usage; and regularly assesses compliance. – Suresh Sethuramaswamy, Microsoft
2. ‘Do you treat customer data as the highest-value asset?’
Ask your vendor about their fine-grained visibility into the data they collect, the systems users have access to and whether all those accesses are secure. Do they treat customer data as the highest-value asset? All the vulnerability scanning, network firewalling and processes that compliance frameworks make them adopt are meaningless if they don’t have a clear idea what they are protecting. – Ravi Ithal, Normalyze
4. ‘When was your last third-party pentest done?’
Don’t forget about risk and compliance: Only 17% of SaaS tools are compliant with more than half of the seven most common certifications. Ask the vendor when their most recent third-party penetration testing was done, what vulnerabilities were found and how many days passed until they were resolved. – Jody Shapiro, Productiv
5. ‘Do you allow your customers to control their sensitive data in the cloud?’
Companies should ask SaaS vendors for quantifiable evidence demonstrating that they allow their customers to maintain control of their sensitive data in the cloud. Insist on a BYOK (bring your own key) approach. The ability to bring and control encryption keys to the cloud ensures the vendor can protect data through encryption or tokenization and implement the right to be forgotten—a core compliance requirement. – Ameesh Divatia, Baffle, Inc.
6. ‘Tell me about your security team.’
I would ask the vendor for the details of their security team, including the organizational and reporting structure and the level of experience. The right security specialists, reporting to senior management, are crucial for implementing and maintaining a secure service. – Howard Taylor, Radware
7. ‘Do you understand your full attack surface?’
Having worked with a lot of customers on their API strategies, I find many organizations don’t understand that the more digital channels you open up, the more vulnerabilities you open up—including new types. Some very prominent companies have had their APIs hacked by thinking they could only be accessed by their UIs, when in fact they were accessible on the open Web. – Matt McLarty, MuleSoft
8. ‘How is your security system designed?’
Compliance with industry regulations such as GDPR, CCPA and SOC 2 has become expected. But there’s a difference between knowing your data is safe and actually seeing how it’s protected. Look for SaaS vendors that design their security system around transparency and trust, and ask about safeguards such as encryption, session management and two-factor authentication. – Rich Waldron, Tray.io
9. ‘How do you train your team to handle incident response?’
Companies should ask potential SaaS vendors about their incident management experience and posture. How do they keep their teams trained to address issues? Do they have mock drills, chaos game days or do tabletop exercises? Find out what they do to build muscle memory to keep their customers’ data safe and how they stay ready to respond should a breach or incident occur. – Prasad Ramakrishnan, Freshworks
10. ‘Will you ever access our data?’
Always ask, “Are there any scenarios in which you would access data, and if so, what auditable proofs are in place to demonstrate that the access was controlled, logged, justified and timed?” The vendor may be asked to troubleshoot an issue, a dashboard or a query, and hence they will have access to data—even if it’s encrypted. Providing auditable proof of controls is a must-have security requirement. – Spiros Liolis, Micro Focus
11. ‘Do you have SOC2 Type 2 certification?’
One essential security question business owners should ask a potential SaaS vendor is, “Does your company have a SOC 2 Type 2 certification?” A SOC 2 Type 2 certification means that your data will be safe and secure because the vendor has been audited for security by an independent auditor. This one question can help you narrow down your choices and find the best fit for your company’s needs. – Leon Gordon, Pomerol Partners
12. ‘Tell me about the details of your SOC 2 report.’
Every responsible SaaS vendor should have a SOC 2 report that evidences the strength of their security controls. Even so, key questions remain. What controls were audited, and is the report a companywide report or a service-/site-specific report? Only by asking these questions will you know if you can place full faith in the SaaS vendor to manage your data. – Mark Brown, British Standards Institution (BSI)
13. ‘Can you tailor your service to my business?’
Business owners shouldn’t jump into projects without knowing (and stating) what their needs are. This is why they should ask SaaS vendors about the possibilities for tailoring the service to their business, whether that’s by having multiple points of contact, varied server locations or, most importantly, scalability regarding access to the service. – Jacob Mathison, Mathison Projects Inc.
14. ‘Tell me about the SaaS applications you use.’
Ask, “Do you know all the SaaS applications that are used to create your service and if they are secure?” SaaS is changing enterprise work, and it’s also revolutionizing SaaS development. Nearly every SaaS service incorporates other SaaS services, but they don’t always ensure that those other services are secure and have good data governance. – Lior Yaari, Grip Security