Cloud simplicity and affordability overshadow security concerns for most enterprises. But this doesn’t mean that SaaS risks don’t exist–or that they can’t cripple unwary companies.
In the 2019 State of Business’ SaaS Spend report, our research showed that the average employee uses 44 cloud apps. Because of issues like limited visibility and poor management processes, 50% of these tools increased the riskiness of software use. SaaS introduced a range of problems, from data privacy to business continuity.
3 biggest SaaS risk areas
Mitigating SaaS security issues requires understanding the key risk areas. Generally, risks of cloud computing fall into three categories:
- Data security
- Regulatory and compliance risks
- Business risks
Below, we introduce each and establish fundamental steps to limiting exposure in each. Of course, risk management is just one part of broader enterprise SaaS management. For interested leaders, we’ve created the Guide to Enterprise SaaS Management. The guide delivers an in-depth look at key drivers of SaaS use in the enterprise. It offers practical, applicable insights to reduce risks, manage costs, and unlock cloud efficiencies for growing enterprises.
1. SaaS data security
According to ITProToday, data security refers to the ways organizations “[...]protect their data, including technical safeguards that help ensure data confidentiality, integrity, and availability.” Closely related is the concept of data privacy; that is, the use and governance of personal data like personally identifiable information (PII) or financial information.
The average cost of a data breach globally was $3.86 million. Combined with reputational damage, this is potentially devastating.
Enterprise leaders that deploy SaaS unwittingly assume responsibility for how their vendors protect data. Yes, companies must track the measures their service providers use to protect critical business data stored in their services. Often, growth depends on it.
Some of the security questions to ask your SaaS vendor are:
- Does any data you are uploading to your SaaS vendor include personally identifiable information (PII)?
- Who controls the encryption keys?
- What security certifications do you have?
- Do you have a Two-Factor Authentication?
A Cisco report finds that two-thirds of companies have sales delays due to customer security and privacy concerns. The Ponemon Institute’s 2018 Cost of a Data Breach Study found that the average cost of a data breach globally was $3.86 million. Combined with reputational damage, this is potentially devastating.
Limiting data exposure
An important direction for leaders is to get a SaaS services overview and to develop assurance around providers’ security and technical measures. At a minimum:
- Discover all services employees subscribed to without explicit IT department approval - shadow IT, using SaaS management. Remove those you don't need and encourage employees to use IT approved services only.
- Track security certifications maintained by a vendor. We suggest ensuring SOC2 compliance and validating service organizations’ security, availability, and processing integrity controls.
- Confirm robust data encryption practices (at rest, and in-flight),
- Confirm integration with enterprise single-sign-on (SSO) solutions and two-factor authentication to reduce the chance of successful phishing emails that are still the most common type of attacks.
2. SaaS regulatory and compliance risk
Another SaaS risk, closely related to data security and privacy is regulatory compliance. Today, mandatory controls exist to regulate data use and practices. They may be industry or function specific, adding complexity to oversight. For companies opening in the EU, for example, GDPR presented new requirements to boost consistent protection of consumer and personal data. Some of the key aspects included:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
Another common issue, establishing the Privacy Rule within HIPAA. This addresses the use and disclosure of individuals’ health information, while allowing necessary flow to promote quality health care.
Companies need a full view of SaaS applications in use.
In financial services, the Financial Crimes Enforcement Network (FinCEN) and similar watchdog organizations are relentless in ensuring anti-money laundering (AML) and Know-Your-Customer (KTC) compliance. For fintechs, scrutiny is at an all-time high. SonicWall notes how companies may need capabilities to log user activities and enable audit trails across sanctioned applications.
Although companies may expect their vendors to maintain compliance, the onus of proof rests with enterprises that engage directly with consumers. This is impossible, however, if companies do not have a full view of SaaS applications in use.
Cleanshelf provides the means for widespread visibility – whether a company seeks compliance with GDPR, CCPA, SOX, HIPPA, or similar governing practices.
3. Business risks of SaaS
Indulging in SaaS introduces a new risk of moving to the cloud: over-dependence. Enterprises now face business continuity issues as they build critical infrastructure, sales, and operational functions with tools they don’t control.
- How easy is vendor's ability to import and deploy?
- What happens when a vendor goes out of business or stops supporting the solution business is dependent on?
- Will there be sufficient warning to migrate data?
These risks go unaddressed because they cross natural departmental boundaries. While some consider this an IT issue, Deloitte’s CFO Signals Survey shows that 55% of the surveyed CFOs indicated they are responsible for enterprise risk management.
Limiting business risks of SaaS
Assess their customer base, expansion plans, funding, and growth metrics.
Industry expert vXchnge offers some best practices to reduce business risks when considering cloud providers, starting with:
- Research the overall financial health of the provider. Assess their customer base, expansion plans, funding, and growth metrics.
- Review terms outlining what happens to customer data or support in the event of bankruptcy or acquisition. At a minimum, understand the data retrieval process (and the format of the returned data) to ensure it's exportable to a competing service.
"...recognize their evidence of growth and traction because nobody wants to buy from SaaS business that will go out of business", as Michael King explains.
Other business and operational factors to consider: uptime SLA guarantees and support in case of outages. To which amount is the vendor liable to pay if an outage happens (SLA usually leads to lower monthly payment) or if the vendor loses data.
The ease of SaaS lulls many into low vigilance. While SaaS is simple and often affordable, it’s not riskless. Understand what you own, clarify usage levels, and then consider the above steps to address SaaS data security, SaaS regulatory and compliance, and SaaS business risks.