While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Multiple data centers are one of the techniques used … While commercial software as a service (SaaS) products have been around for more than two decades, the market has grown significantly in the past few years. The problem arises when you need your hosted IP video system to interoperate with your hosted access control solution - and you may find that your vendor does not offer this pairing. Steve Van Till is president and CEO of Brivo Systems (www.brivo.com). SaaS Security Considerations Vet an app’s credibility, IT resilience and security before allowing it access to your data. The two are very different things. What end-users should be looking for in a software as a service provider. Look for integrated applications, not stove-pipes. … Vordel CTO Mark O'Neill looks at 5 critical challenges. The most widely accepted way to do this is to install X.509 digital certificates from a trusted certificate authority on networked devices. Traditionally, this term has meant deploying single-purpose applications that do not communicate with one another, thereby resulting in poor data integration, poor work-flows and higher costs to the end-user. I. DEFINITIONS Software as a service (SaaS, typically pronounced 'sass') is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet. Also referred to as “on-demand software,” “hosted software,” and “web-based software,” SaaS … Seventy percent of companies said they have made at least one security exception for a SaaS vendor. These days those are just minimum requirements, so be sure to ask where the servers are and where your data will be stored. However, because in a SaaS environment customers' data reside with the SaaS vendor, opportunities also exist to charge per transaction, event, or other units of value, such as the number of processors required. This second figure is higher because even if applications or networks are briefly unavailable (that being the nature of the Internet) there is really no excuse for losing anyone's data with today's replication technology. Key words you are listening for are "real-time" and a proven, name-brand database solution, not a home-grown or "proprietary" approach that you cannot research. They also provide numerous security measures to keep this data safe. Typically, SaaS service providers contract with an outside firm for this service because these firms specialize in knowing how to perform all of the latest and most sophisticated attacks. Security equipment such as cameras and control panels are essentially "logging in" to exchange data, and they need to be authenticated as well. As above, the requirements as a whole were not used to build the system from scratch as it was build by the vendor a few years ago. A further concern surrounds the experience of SaaS sales forces, which CISOs … If security is not a top priority for the SaaS vendor, then it is best to look for a different vendor. The tremendous growth of new SaaS security and surveillance services in the past few years has made choosing the best solution tougher than ever, as buyers must sort through a blizzard of competing vendor claims. With the physical security industry increasingly shifting to this approach in order to control costs and avoid obsolescence, it is crucial that buyers understand what factors to consider when looking for a SaaS provider. To fully determine whether a cloud-based solution meets your security requirements… Application Security should be at the forefront of your decision-making process. This means that buyers need to ask about application integration up front, and make sure that vendors can provide the combinations they need. In the current rush to the cloud, one of the things we see happening is a repetition of the age-old IT sin of stove-piping applications. One major concern among organizations is cyber-security or data security. If a provider cannot or will not tell you, it is not a good sign. 6. Data security needs to be a primary design principle in the cloud, and vendors must use industry-approved algorithms to encrypt all data. It’s an urgent issue in an environment where endpoints are proliferating and hacking techniques are getting more sophisticated. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. The purpose is to have experts try to hack your own system before someone else does, and to fix any vulnerabilities uncovered in the process. The relatively low cost for user … Sign up for Security Info Watch eNewsletters. This security principle applies to physical devices on your network just as it does to human users. SaaS will not change that - a stove-pipe in the cloud is just as bad as a stove-pipe in your own data center. From idea to first customers. Consult the Board Research Team. A security checklist for SaaS, PaaS and IaaS cloud models Key security issues can vary depending on the cloud model you're using. These certificates allow the establishment of mutually authenticated encryption sessions between endpoints and applications. When implementing SAAS, learn about data security and how the SAAS providers protect your data. If your vendor tells you that you need to open up inbound ports on your firewall, think twice about using their service. For further information, see Guiding Principles on Independence and Objectivity. The second element is a comprehensive view of the SaaS vendor’s security practices. This blog series explores best practices in vetting SaaS vendors to ensure data protection and streamlined workflows throughout product design, manufacturing, and lifecycle support. SaaS security is a highly technical space that can be difficult for a business leader to understand. "While it should be a given with all SaaS vendors … The provider delivers software based on one set of common code and data … But providers are not responsible for securing customer data or user access to it. It’s likely that a SaaS vendor will have access to at least some of your company’s sensitive information, so it’s important to work with organizations you trust. Gartner defines software as a service (SaaS) as software that is owned, delivered, and managed remotely by one or more providers. If they will not tell you, there is really no way to know whether your data is going to be secure. The vendor might have to provide a current attestation of compliance or a contractual statement that it is responsible for the security of our data. Many of the new enterprise software solutions produced now include a SaaS offering (sometimes the sole option), intended to reduce IT overhead / infrastructure compatibility issues and allow more flexible licensing options.. SaaS … 7. The simple question to ask is: "explain your data replication strategy." Right after information security, one of the top concerns among SaaS buyers is system availability, or "uptime." Yet, some SaaS providers offer a bare minimum of security, while others offer a wide range of SaaS security options. SaaS vendors and users share responsibility for cloud application security, but enterprises must know where the vendors' requirements end and theirs begin. In support of UIS.501 Vendor Security Policy Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Risk Assessment” guidelines as the official policy for this security … SAAS vendors allow users to store data in an off-premise setting. requirements. By continuing to use this site, or closing this box, you consent to our use of cookies. SaaS applications remove many of the physical security barriers that protect on-premises software and data. Because SaaS security systems exchange data between on-premise devices and off-premise hosted applications, they need connections through your corporate firewalls. Comparing vendor security measures against their company’s defined requirements on every point is a tall order, given the volume of cloud solutions employees are adopting. Monthly or annual availability figures are something they should be able to provide to you. Your access and use of this publication are governed by Gartner’s Usage Policy. SaaS security issues. Regulatory requirements for SaaS vendors. Make sure the vendor … It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. Penetration Testing. Security should take precedence over all other considerations. This summary contains input from twelve members on their security requirements for Software-as-a-Service (SaaS) vendors. According to Gartner, SaaS revenue is expected to grow to $133 billion in 2021, up from $87.5 billion in 2018.. In support of UIS.501 Vendor Security Policy Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Risk Assessment” guidelines as the official policy for this security domain. We use cookies to deliver the best possible experience on our website. In the physical security domain, this typically means integrating one or more of access control, video surveillance and intrusion detection. Gartner prides itself on its reputation for independence and objectivity. You should ask no less from your physical security solution. Make use of a virtual private cloud and network. Organizations are moving from on-premises to SaaS … Nevertheless, businesses need to know be sure their technology vendors have a strong track record on security, and that they are investing to innovate on security … This principle explains how your corporate network can safely allow employees to connect to millions of Internet sites without specifically having to identify each one in advance, and, at the same time, keep millions of hackers from gaining entry into your network or personal computer. To learn more, visit our Privacy Policy. Its research is produced independently by its research organization without input or influence from any third party. I think of SaaS security as a two-fold challenge. Typically, vendors secure the cloud infrastructure, while users must secure applications, software platforms, data and integrations. SaaS vendors, particularly newcomers to the market, are beneficiaries of this gap. SaaS checklist: Nine factors to consider when selecting a vendor Industry cloud research: security and data protection is still the most important feature for businesses SaaS in 2016: The key … There are a variety of standards that govern security audits, but one of the most common in the United States is SAS-70. Startups must plan their security posture according to the progress they make in funding and product development. If your vendor cannot show you a current information audit statement, you should not trust them. Businesses account for almost 82% of all software related spending with Finance and Insurance leading the pack. As your SaaS development provider manages the backend with the cloud, you don’t … should be initiating the connection to the hosting center, and not vice-versa. Yet, some SaaS providers offer a bare minimum of security, while others offer a wide range of SaaS security … Other standards include SysTrust, WebTrust or ISO 27001/2, depending on the application. Second, firewalls are typically already configured to allow outbound connections from your network to external services points, such as Web sites. Analyst(s): Read around main cloud security risks, improving security in SaaS applications. That's why it is important to understand the "availability record" of your candidate service providers. • Device security. SaaS checklist: Nine factors to consider when selecting a vendor. All rights reserved. 2. We then move on to the sourcing process and discuss how members integrate security in vendor contracts, deal with vendors that lack sufficient security, and audit their vendors to assess risk and compliance. If a SaaS vendor has not bothered to have its system audited to at least one of these standards, then you are assuming far more risk than is reasonable. SaaS applications allow you to select the delivery model and modify it as requirements change. Your system is only as secure as the authentication and authorization procedures that protect it. Nearly all executives surveyed (92 percent) believe they will require SaaS vendors to provide more tailored and flexible security options in the future. Demand an audit statement for the specific application you will be using. You can experiment in a less risky environment by trying on a new project, user base or acquisition. We begin with an examination of the standards members consider when evaluating vendors. In the coming year, companies will be more likely to evaluate and reevaluate vendors from a higher level by looking at factors like vendor security … Buyers that don’t carefully evaluate the infrastructure aspects of a … The provider delivers software based on one set of common code and data definitions that is consumed in a one-to-many model by all contracted customers at any time on a pay-for-use basis or as a subscription based on use metrics. The vendor might have to provide a current attestation of compliance or a contractual statement that it is responsible for the security of our data. SaaS Security Challenges . Just as a cyber insurance policy requires organizations to ensure its vendors maintain minimum required security … The vast majority of cloud computing and Software as a Service (SaaS) vendors are essentially offering client facing, web based services, be it multi-tenancy, an architecture in which a single instance of a software application serves multiple customers, to multi-instance architectures, where separate … As a practical matter, you should ask a SaaS provider to identify which firm does their penetration testing, and how they incorporate the results into their product development cycle. Security tech plays key role in managing Covid-19 vaccination events, Sigfox builds communications network with security in mind, Correctional security technology must be leveraged during pandemic crisis, 3 reasons why customer-focused enterprises should trust MFA, Dahua faces scrutiny over its facial recognition software, Company SDK reportedly featured code that could be used to track China's minority Uyghur population, Industry veteran talks recovery, the future of the organization, plans for the annual PSA-TEC and more, Catastrophe narrowly averted in Florida water plant hack, Experts say incident should serve as a 'wake-up call' in critical infrastructure cybersecurity, When saving lives infringes on personal privacy, AI and data science have the ability to infer a lot of information based on people's actions, Why libraries need to consider a multitude of factors when hiring security officers, Key considerations for cybersecurity executives dealing with remote work, Where it's no longer possible to physically verify authorized entities, the importance of confidence in digital data is only amplified, Security Risk Assessments: What Not to Do, A look at some of the common missteps and how to avoid them, Convergint continues to grow in midst of pandemic, Despite the challenges posed by Covid-19, the Illinois-based integrator has managed to expand its reach and expertise, Manufacturer 1-on-1: Allegion's Vince Wenos, Company’s SVP and CTO chats with SIW about the company’s recent acquisition of Yonomi and what it means for their smart home roadmap, CES: Dutch company adds intelligence to the electric strike, DEN Smart Home takes an alternative approach to smart locks, Track and secure your cannabis product in-transit with mobile video surveillance, Tracking product in-transit increases your business insights, reducing security and safety risks, 7 cyber threat actors to watch for in 2021, Understanding the various types of cyber criminals and their motivations is essential, Pandemic and right-wing extremism create perfect storm of hate, Jewish communities in New York City and across the country tighten security protocols as threats mount, Report: Video surveillance market poised for strong rebound in wake of Covid, New research from Memoori predicts industry growth will be influenced by the evolution of tech, geopolitical challenges. Here's how to hold them to a high standard for security. Enter your email and we'll send you our report! SaaS Vendor benefits. Even though SaaS providers as a group have an admirable track record against in-house solutions, most buyers feel a bit queasy when they cannot reach out and touch their own servers, or wring the neck of their very own IT guy when there's a problem. 4. Telco grade facilities are characterized by having diesel-generated back-up power, multiple independent connections to the Internet, 24-hour staffing and their own secure physical security perimeter. 5. The checklist for evaluating SaaS vendors should include both the bank’s existing requirements based on company-wide practices, and SaaS-specific security requirements as well.