CRMs, ERPs, accounting software, marketing tools, project management and productivity suites. The enterprise of today is reliant on a large number of platforms, separated by purpose, yet united by a common denominator. They’re all subscription based and cloud stored: in other words, they are a part of what is now known as Software-as-a-Service (SaaS).
SaaS in Numbers
The SaaS revolution has been one of the main engines of digital transformation, bringing easily accessible and affordable technology to companies of all sizes. In fact, according to McKinsey, the SaaS market is expected to grow by more than 20 percent annually, reaching nearly $200 billion by 2024. According to the same study, around half of the surveyed companies have used fewer than 20 SaaS products, and a quarter used more than 80!
And it’s easy to tell why SaaS offerings are so attractive: they allow the client to focus on outcomes, rather than expenses. It allows quick deployment and a much faster time to value, it’s an opex, not a capex expenditure (thus allowing higher flexibility and shorter approval times) and it’s accessible on all systems, regardless of location or operating system. Also, according to Forbes, they create a longstanding and mutually beneficial relationship between the SaaS vendor and client.
However, with these benefits come a few hidden caveats. One of them is the problem of security of SaaS. With classic, on-premise, software, the enterprise takes care of both access to the product, but also its infrastructure and security. SaaS offerings place this responsibility on the shoulders of the provider. This reflects in the reluctance some security experts have in adopting SaaS offerings. In fact, while the quoted McKinsey study suggests 92% of companies adopted a SaaS office automation platform, many claim they are unprepared to use it in critical domains such as enterprise resource planning or anywhere sensitive user data or documents are used.
Choosing the Right Provider
When it comes to business process automation the stakes are even higher. Business automation suites, especially those handling financial documents, have access to a wide array of data and function with minimal human intervention. This means that every process and every potential hazard has to be thoroughly documented and back-ups must be constantly in place.
So, if you’re on the cusp of selecting a business automation provider or any type of SaaS product that handles sensitive data, what should your main security priorities be? Based on our own experience and certifications, but also on the industry’s best practices (such as those provided by the UK National Cyber Security Center or by industry journals), we’ve created a list of the most common security concerns that SaaS products raise.
1.Equipment Security
Equipment is one of the most overlooked layers of an as-a-service platform, although it’s often the most important (“Infrastructure as a Service”). While some providers have their own infrastructure, many make use of cloud storage provided by specialized vendors (Google, Microsoft, Amazon). However, this does not absolve them of the following obligations:
- Uptime and Availability – Either by contract or through an SLA, the SaaS provider must provide high availability of its services.
- Backups and Disaster Recovery – Backups and disaster recovery should be extensively covered, with the provider stating how many times a day or a week does a backup occur, but also what the recovery time is in case of a natural disaster.
- Data Localization (or Data Residency) – Having your data backed up in multiple data centers is not just necessary, but often a legal requirement.
- Stability and Portability – The key of maintaining both stability and ensuring portability (in case the SaaS provider can’t provide the service anymore) is using secure, but standard access to your hardware infrastructure, allowing quick and efficient intervention.
2. Data Security
Data security covers both the way the SaaS system handles data, but also the format of the data itself. While a part of it can be hardware dependent, data security should be built in the product.
- Information Security – Standards such as ISO 27001 for information security make sure your provider is able to securely manage both cloud-based or third party information storage.
- Data in Transit and Data at Rest Protection – Using an established standard such as TLS (Transport Layer Security) can help improve the privacy and speed of each data transfer. However, the tricky part about a TLS certificate is not acquiring it, but properly configuring it. Failing to do so might result in an unwanted security hole. Additionally, using secure encryption and digital certificates (such as those provided by the AS2 standard) can improve transport security even further, while cloud security can easily handle data at rest.
- End-to-End Encryption – Such an encryption system means that all user-server interactions are carried out securely. As SaaS Metrics recommends, an SSL certification should thoroughly cover this aspect.
- API Protection – Making sure access to the SaaS platform’s API is controlled can prevent unauthorized access to the company’s inner systems, but also speed up integration.
- Data Control and Vulnerability Testing – Access to every layer of data should be provided, while constant vulnerability testing should be performed in order to reveal the weak points in the way your company and your provider exchange data.
3.User Level Security
The human element is often the most vulnerable component in a company’s ecosystem. In fact, we’ve recently covered the damages of invoice fraud and the effect it can have on a company’s finance and employee morale. While training the users definitely helps, providing proactive security measures for human error is just as useful.
- User Credential Encryption – It’s vital that all platforms keys, certificates, and passwords are secured using a centralized, vault-type system.
- User Identity and Access Management – Identity management represents the identity confirmation of each user. For this, your provider should use an identity standard (such as Okta) or use a secure access point. Regarding access management, user privileges should be clearly differentiated and access should be easy to revoke, if necessary.
- User Logs Availability – Every file access and transfer should be constantly monitored and logged. In case of financial documents such as invoices, audit trails are actually be a legal requirement.
- Access from Anywhere – Remote access to the SaaS platform’s interface should be both possible and fully secure.
4.Incident Response
An incident response team should consist in people from both your SaaS provider and your company, which is why it is important that it respects a common set of principles.
- Availability – Incident response teams should be able to tackle both hardware and software components, but also business-related or account management issues. In some cases, multiple teams can be established, in order to ensure continuous monitoring.
- Visibility – System administrators should have full visibility into the user bases’ activity. This is why an internal reporting system should be in place. Additionally, a Business Analysis Planning and Monitoring system should also offer financial visibility into each process, not just a technical one.
- Transparency – Incidents should be clearly communicated, along with their cause and estimated resolve time. This would require the existence of a SLA, or Service Level Agreement, detailing incident prevention and response.
- Initiative – Users should have means of quickly reporting incidents and accessing support. Furthermore, they should be encouraged to do so.
5. Standards and Certifications
While not a vital prerequisite for choosing a SaaS provider, the availability of a set of standards and certifications is definitely something too look into. These standards can fall into multiple categories.
- Information Security Standards (such as the aformentioned ISO 27001) are highly useful, regardless of the SaaS provider’s domain of activity.
- Data Interchange Standards (such as ISO 20222) can be used to complete the information security ones.
- Document Storage Certifications are useful for providers that manage large quantities of sensitive data.
- Format Certifications are dependent on the SaaS provider’s domain of activity, but are nonetheless useful for companies looking to follow international legislation (such is the case with the European 2014/55/EU directive for electronic invoicing and its standards).
- Data Privacy Certifications – GDPR has long become a necessity and while privacy agreements are a must, an actual certification guarantees a provider’s commitment to preserving user privacy.
As the business world gradually evolves towards an Everything-as-a-Service model, security will become an increasingly important talking point. By making sure your provider follows these general guidelines, you can future proof your business processes, as well as the quality and availability of the services you offer your customers.
The DocProcess Offer
DocProcess builds cloud-based business ecosystem automation software that helps companies automate both internal and external business processes, such as those with their network of partners (buyers, suppliers, financial institutions). Our solutions can automate all Purchase-to-Pay, Order-to-Cash, and eInvoicing services, taking away the hassle of paperwork and manual operations and giving managers and employees alike full control over their time and finances. As a business process automation company, we’ve made sure to provide both a high-availability model for our infrastructure, as well as state-of-the-art disaster protection and recovery methods. Our platforms are fully secure but also certified on multiple levels.
If you want to find out more about our security, just check our Solutions Security page. If you want to know what DocProcess can do for your business, simply contact our consultants!