SaaS Security: Criteria for Selecting a Provider

SaaS Software as a Service is a growing offshoot in the world of web applications. This form of service, in which software is, in a sense, leased out, means that clients do not only entrust their application to external parties, but also their data. It is therefore necessary to choose a supplier that is trustworthy and reliable. How, then, do you make an informed decision when selecting a SaaS provider?
TEXT: JOHANNA KIRN & XANDER ORTH

In order to develop a clear picture of a provider and to make a well-considered choice, we have divided the criteria into three categories: the integrity of the provider, the security of the data and the availability of the service as guaranteed by the provider. Crucial business data belong in trustworthy hands. In any case, these data should not end up just anywhere. Not only does the method of handling sensitive information need to be taken into consideration, but also the continuity of the SaaS service. The continuity is determined by the future outlook of the provider. SaaS software is not something you purchase for just a couple of months; you need a business partner that will not go bankrupt in a years time. General information can provide indications of a providers integrity. Aspects to consider include the experience a provider has in the

SaaS arena and its client portfolio preferably one with clients similar to your own organization. Financial information, such as a providers annual returns and its predicted growth as a business can also be of help. Besides a providers integrity, the security measures that a provider follows must also be investigated. The SaaS provider must clarify, in detail, its security strategy to protect data from unauthorized persons as well as in the event of natural disasters. However, the information about these measures must not be publicly accessible, for example, on the internet, in order to prevent it from being misused. Besides the risk of damage to or loss of hardware, there is also a chance that the software is lost due to viruses, malware and other external causes. To reduce the risk of data leakage (the loss of files) as much as possible, back-ups of the data must be frequently made and

stored in different geographical locations. A number of providers employ underground back-up data centres or store back-ups at locations that are hundreds of kilometres apart in order to protect data from natural disasters or other calamities. Legislation regarding data protection must be verified if a provider is located outside of the EU. Regardless of a providers location, the client must remain the owner of the data after the contract expires. In some cases, outsourcing security to experts can become a positive side effect of acquiring a SaaS service, especially for small companies that do not have large automation departments. A suppliers reliability is also largely determined by the availability of the service. As a rule, providers will only guarantee the availability of the software and not a working internet connection. This needs to be taken into account when establishing a service level

14 THEME

agreement (SLA) for availability. In the SLA, it is advisable to strive for availability for 99% of the month, as opposed to 99% of the year, as establishing an SLA based on availability for an entire year could involve a lengthy downtime period, which the provider could then claim as part of the allowed downtime, without exceeding the 1% allowance.

If you take these criteria into account when selecting a SaaS provider, then there are no security or reliability reasons not to purchase SaaS services. You can find additional information about SaaS in general in the SaaS edition of TOPdesk Magazine (October 2007) at: www.topdeskmagazine.com.

TOPdesk also provides a SaaS service: TOPdesk as a Service. At TOPdesk, we are thoroughly aware of the risks associated with an online application and for this reason have invested a lot of time and energy into ensuring that TOPdesk as a Service is as secure as possible. We use SSL certification, which is also used by banks for internet banking, to ensure data integrity, encryption and authentication. The Dell servers are also continuously creating back-ups. Should something happen to the productivity of one environment, then a back-up system will immediately take over. Finally, the data centres also support the security of SaaS services. These centres are located in Haarlem, the Netherlands (Evoswitch) and Schiphol-Rijk, the Netherlands (Easynet). By investing in the latest fire safety, cooling and anti-theft technologies, we have taken every precaution to ensure that TOPdesk as a Service is as safe and secure as possible. You can find more information at www.topdesk.com/saas.

THEME 15