Software-as-a-service (SaaS) is becoming a defining factor of how companies operate and was an enabler of the sweeping transition to remote work that took place in 2020. However, moving data and storing it outside a company network is always a security risk. Read the Tresorit SaaS security checklist to learn about the factors you should consider when choosing a new SaaS provider.
By definition, SaaS systems require data to move from your internal network to a service provider. This can put confidential data at risk in-transit and at-rest. There are also myriad legal considerations that must be kept in mind - many SaaS solutions can be accessed for free, and teams may even be creating accounts to use services without the knowledge of internal legal or IT departments. As a result, all companies must have clear guidelines in place on the use of SaaS solutions, and a process to ensure the software they leverage are safe.
The SaaS security checklist
A well-defined SaaS security checklist is a mandatory part of reviewing potential partners and should be considered for two already approved partners (when creating a new integration or connected service). To ensure compliance and safety, legal, GRC, security and IT teams should be involved in the process.
We’ve gathered several aspects to (housed under six key points) to help you make the right decision when choosing a new service. Read below for a full overview:
1. Check for recommendations from national or regional authorities.
Several national and regional authorities issue guidance on using SaaS. Some, like the UK’s National Cyber Security Centre, offer basic security reviews of popular services and highlight the legislation that may affect which services you can use. While you should go deeper than these overviews, these are a good foundation for internal security analysis.
2. Review access and security information published by SaaS provider
- Will the service provider have access to the data you store on their systems? This is the most basic security question you should be asking. Ideally, service providers should not be able to read your data and should also be transparent about the steps they take to secure this information.
- Review available security and privacy documentation. These items will give you an understanding of the measures the developer has in place to increase security, as well as the level of transparency at which the company operates. Make sure to check the fine print – the devil is in the details.
- Is end-to-end encryption (E2EE) included in the service? E2EE in itself is not enough to keep your data completely safe, but if all information on their servers can only be decrypted with a key stored locally on your team’s machines, you can avoid the risk of major liability in future. Learn more about E2EE from our recent blog.
3. Inspect the data security of provider
- What data will change hands when you use the service? Consider what you will be using the service for, and what kinds of data you will send to their servers - beyond IP concerns, data processing regulations may also limit this decision-making process.
- Who will the service provider share your data with? Ideally, the answer to this question will be: no-one. This information should be publicly accessible and provided in detail for your team to review. E2EE is the best solution again, as the provider will not have access any of your data.
- Does the company have a clear security and privacy track record? Dive deeper than the size and stability of a partner company, and take a look at their security and privacy track record. Have steps been taken to address any past issues?
4. Conduct legal review to ensure compliance with data protection regulation
- Check compliance with applicable data protection rules. Since GDPR came into effect in 2018, data protection has become a central talking point in the digital world. Since then, several countries have followed suit in creating strict data protection rules. Before signing up for a new solution, have your legal team confirm they are compliant with any regulations that affect your company.
- Confirm data residency or options to change where your information is stored. An oft-overlooked facet of data protection laws is how they regulate where companies can store personal data. Confirm that the personal data of EU citizens remains within the block’s borders.
- Will you need a DPA to use the service? You may need a DPA to use the service, depending on the data they can access (another legal hurdle that is a lot less likely to cause issues if E2EE is in place).
5. Confirm compliance with relevant international standards
- Is the company ISO 27000 certified? This well-known international standard defines the framework of how organisations can manage information securely and includes a set of security controls for them to roll out. While no badge of compliance can replace a full security review, international standards like the ISO 2700 do provide an added layer of confidence.
- Does the developer follow the SOC2 auditing procedure? SOC2 is an auditing procedure designed to ensure that a company’s third-party suppliers also handle all data securely to ensure the privacy and security of the company’s clients. It is a must-have in complex systems with plugins, or systems where data moves between different providers.
6. Conduct a technology audit
- Confirm at-rest and in-transit security. Examine the technology the service uses to keep your data safe when you communicate with the software, and when it is stored on their servers. In a best-case scenario, you’ll find up to date E2EE.
- Review authentication options and other security limits. SSO is a double-edged sword. Set up correctly, it can increase security and user comfort. Do it wrong, and it becomes a security flaw.
- Check user role options and data access levels. Various roles often require different levels of access. A fundamental rule of security is people should only be able to access the data they need to complete their work. Does the service allow you to create different user roles and access levels easily?
- Are security features easy to use? Can a single IT admin manage users efficiently? Will your team be able to use the security tools easily? When security gets in the way, it can frustrate users, leading them to find creative ways to circumvent clunky limitations.
End-to-end encryption powers increased security
As this checklist shows, a security review is not a quick process. We know this because we conduct them regularly. Why? Because we believe in making security simple, and believe the best way to do that is to offer E2EE storage and only work with providers that meet our security standards.
A SaaS that utilises E2EE is infinitely more secure than any other. In fact, if proper E2EE is in place, several points of the list above can be ticked off automatically.
E2EE means that a provider cannot access any of your data stored on their servers. It guarantees the security of If files in the event of a third-party hack. If E2EE data is accessed in GDPR jurisdiction, the requirement to report does not apply. Furthermore, the provider cannot share your data with any third parties – as the information you store on their system cannot beread.
While E2EE does not cancel out the need for a security review in itself, it fundamentally increases the security of the solution and drastically accelerates the steps a security review has to go through, not only making your team more efficient but even more secure.
Want to find out more? Discover more about our own security standards and and how E2EE powers everything we do at Tresorit here!