Do you use Slack, Gmail, Microsoft Teams, Zoom, or other tools like this in your organization? If the answer is yes, you’re using Software-as-a-Service or SaaS. SaaS tools can be an incredible way to boost the productivity of your workforce while removing many administrative and maintenance headaches associated with self-hosting software. But just because they’re easy to use doesn’t mean they are free of security and privacy risks.
One of the most common questions we receive from our partners is, “We’re looking to invest in a new SaaS tool to support our work. Can you help us evaluate the security of the new tools we’re looking into?” In this scenario, the partners usually have a short list of SaaS tools they are evaluating from a business operations perspective — ensuring that the tools are a good fit in terms of capabilities, integrations, and price. But what most of our partners lack is the methodology and background to fully consider security and privacy as evaluation factors.
You ultimately want to be sure you can trust that the company providing the SaaS tool will keep up their end of the bargain to protect your organization’s staff, data, vendors, and customers. Therefore, we wanted to share our security and privacy evaluation criteria with the community to help you support decision-making around using SaaS tools at your organization.
Step 1: What Certifications Does The Service Have?
Cyber security certifications are a good first set of criteria to help you compare SaaS applications. These certifications assure that an organization is meeting foundational requirements that are a part of that certification. SaaS vendors typically have a page on their website dedicated to their certifications (here’s an example of Slack’s certification page), so do a little searching for the vendor’s certification pages on your evaluation list. If you can’t find proof of a vendor's certification, consider asking the vendor if they can provide you with a copy of the certification attestation. Some companies opt to limit access to these certification attestations, so always ask if you don’t see anything online.
Please also remember that certifications often paint the security practices of a SaaS vendor in broad strokes, so a certification alone does not mean that your data is necessarily secure. Therefore, using other criteria we’ve described in this how-to is vital to evaluate your options further.
Here’s a short list of certifications that you should be looking for (many vendors will have these two certifications and more):
SOC 2
This certification ensures that the company undergoing the certification audit process securely handles its customer’s data. It has five main categories for evaluation: privacy, security, availability, processing integrity, and confidentiality. A SOC 2 report comes in two main flavors:
- SOC 2, Type I: Focuses on the design of the company’s systems compared to the requirements of the certification
- SOC 2, Type II: Focuses on how effective the company’s systems are in meeting the requirements of the certification
Ideally, the SaaS vendors you are evaluating have a SOC 2, Type II report, requiring the vendor to prove they are walking the walk (instead of just talking the talk).
ISO/IEC 27001
The next certification we’ll cover is ISO/IEC 27001, designed to provide requirements for an information security management system. Becoming certified requires a SaaS vendor to provide key documentation on their security policies, procedures, and controls and prove that these elements are configured to protect the organization from threats properly.
Step 2: What Publicly-Facing Security & Privacy Documentation Does The Service Have?
Continuing with our Slack example, use your Google skills to locate the security and privacy pages for each SaaS vendor. Then, carefully read these pages for each vendor and see how their security and privacy practices compare. Here are some evaluation criteria to help sort through the information:
- How transparent is the vendor when describing their security and privacy practices?
- Is the language easy to understand, or is there a bunch of legal jargon that could be obfuscating?
- How do they describe how they store and process their customer’s data?
- What security measures do they have in place?
Step 3: What Is The Service’s Security & Privacy Reputation?
You probably wouldn't want to do business with a vendor known for defrauding its customers. But do we also assume that most people wouldn’t want to do business with a vendor with a reputation for being lax about security and privacy?
It’s not always so simple, however. Data breaches, unfortunately, happen to even the most secure of companies. Many major SaaS vendors have found themselves in the news over being hacked or a simple mistake leading to devastating security consequences. The critical thing is deciphering the impact and evaluating the company’s follow-on actions and attitude about the breach.
Take Uber, for instance - they got themselves in hot water after being hacked in 2016 due to not disclosing the attack to regulators. In September 2022, the former security chief of Uber during that hack is on trial for not disclosing it, while Uber currently experiences another significant data breach conducted by an alleged teenage hacker.
For example, a quick search for “Slack security breach” or “Slack hack” should give you a good idea of what public security incidents a vendor has experienced in recent years. For vendors that have experienced breaches, search for vendor resources about the breach to evaluate how they handled the attack. Being forthcoming, transparent, and candid about the hack and the remedial actions they take is a good sign. Being evasive, downplaying, or hiding information is not. Additionally, reference sources like Ars Technica, The Hacker News, and The Register for more details on the vendor’s data breaches and what the vendor did to respond to the attack.
Step 4: What Customer-Focused Security Features Are Available?
So far, we’ve covered three vendor-initiated topics, but let’s turn our attention to what security features SaaS vendors offer their users. First, check the vendor’s documentation to see if there are user-focused security features and settings you can take advantage of to secure your organization’s information more thoroughly. Here’s a list of documentation from four top SaaS vendors that describe what security features they offer and how to implement them:
- Slack: “Security Tips To Protect Your Workspace”
- Google Workspace: “Security Checklist for Small Business (1-100 Users)”
- Microsoft M365: “Top 10 Ways To Secure Your Data - Best Practices for Small and Medium-Sized businesses”
- Salesforce: “Security Health Check”
Compare and contrast these types of pages for the SaaS tools you are evaluating to see which offers more (or more standard) security features. Of particular note, confirm that the vendors provide the option of multi-factor authentication (MFA). Ideally, each vendor would offer single sign-on (SSO) to make the login experience easier and more secure for users.
Wrapping Up
Thanks for reading our how-to on selecting a new SaaS service based on security and privacy criteria. We hope this enables your organization to make a more security-driven decision when evaluating new SaaS applications. If you have questions, please reach out to us on our website.
Steve Sharer
He/Him/His
CEO & Co-Founder, RipRap Security
I'm the Co-Founder of RipRap Security, a cyber security consulting company. RipRap Security was founded to bring cyber security expertise to small and medium-sized organizations that make communities of all varieties a better place. My co-founder, Garrett Miller, and I are former US Government cyber operations professionals who spent two decades preventing and responding to cyber-attacks affecting agencies that citizens depend on.
