Question: What’s one important security question I should ask a potential SaaS vendor?
Do You Store Credit Card Information On Your Server?
"You want to make sure that your credit card details aren't being stored on the SaaS vendor's server in addition to their credit card processor's server. The card processing companies have proper security, and while not 100 percent safe (as evidenced by recent hacks), they are more secure than most vendor's servers. There is no reason they should be storing card details in addition to the merchant."
Do you have Two-Factor Authentication?
"In this day and age, a password cannot be the only protection a SaaS vendor gives you to protect access to your application. A security aware SaaS vendor will offer you the option to have two-factor authentication to access your application. That can be like the Google Authenticator integration you have with Amazon or an SMS code sent to your phone when you try to log in."
Who Owns This Data if We Stop Using You as a Vendor?
"While it should be a given with all SaaS vendors that you as a client own the data, how valuable will that data be should you have to terminate this SaaS relationship? Inquire as to what it takes by cost, time and mechanism to access the data before you terminate your relationship with a SaaS provider. This ensures you have a firm understanding of what the end of the business relationship will be."
Is Your Platform Externally Audited?
"There are a number of external certifications that cloud vendors and other hosting providers can use: ISO 27001, SSAE 16 and PCI DSS certification are common examples. You can ask a vendor any security question you want, but the only real way to know you're getting a honest response is if they have been audited by a trusted third party."
Are you PCI-Level 1 compliant?
"I'm amazed at how often major (sometimes public) companies let their guard down in working with SaaS commerce and payments companies that are processing personally identifiable information (PII) and financial information for their end-user customers. PCI-Level 1 compliance is a rigorous process to ensure that sensitive information is treated with the utmost care."
How Do You Prevent Breaches, and How Do You React to Them?
"Ask a potential vendor about the timing and details of its recovery procedure. If there is a breach in the system or some other issue that puts your data at risk, you need to know how the vendor will keep your data secure, recover any lost data and how much time it will take to restore service."
Have You Ever Had a Security Breach?
"Asking them to detail you on their history of security breaches will give you a good indication of their security. This also gives the vendor an opportunity to explain any corrective measure they have taken to ensure breaches do not occur in the future."
Can You Tell Me About Your Company's Physical Security?
"Encryption and data security are important, but you also want to know about the vendor's physical security at their office and server location, and how often they're audited. Follow up by asking what prevents an insider at the firm from downloading all your data onto a USB stick and walking away. Physical security often gets overlooked, which is why it's a key weakness of many SaaS firms."
Does Your Company Have a Dedicated Security Team?
"Before working with a new SaaS vendor, it's important to look into what kind of security personnel they have on hand. Although it is not required for the vendor to have a full security department or a large security staff, it is good to know what kind of staff are available for any questions and emergencies that may come up."
Do You Provide Transport Layer Security (TLS)?
"With data leaks at an all time high, SSL isn't providing the same level of security it once was. SaaS providers need to ensure their users' data is secure, and that they minimize the risk of their -- or their customers' -- information becoming compromised."