SaaS – Your Data Availability & Compliance

The following is a synopsis of an interview with CSO Magazine who were looking for insights about data availability and compliance issues related to SaaS applications..

Organizations using SaaS products can face a number of issues, including those connected to data availability. What should organizations do to avoid issues related to data availability?

Organizations should understand and negotiate suitable SLAs that match their operational requirements (be realistic not just budget); implement independent data backup and recovery strategies; ensure redundancy and failover plans are in place; mitigate vendor lock-in risks through data portability; regularly monitor service performance against SLAs; comply with industry standards and seek audit rights; enforce strong access controls and security policies; and prepare contingency plans including disaster recovery and business continuity.

What are the security implications of failing to ensure proper availability of data?

This can significantly impact an organisation, leading to data breaches, loss of data integrity, and compliance violations. It can disrupt operations, cause financial and reputational damage, increase recovery costs, and create strategic disadvantages.

Are there also compliance issues around the ability to protect data and privacy, or sovereignty issues?

These are crucial dimensions for organizations using SaaS applications, governed by laws like GDPR and CCPA. These laws mandate strict data handling and protection measures to ensure individuals’ privacy rights. Data sovereignty laws require data storage and processing within specific jurisdictions, complicating international transfers. Organizations face challenges in navigating these regulations, requiring technical measures, vendor compliance checks and regular audits to ensure adherence. Strategies include privacy by design, employee training, and data protection impact assessments to maintain compliance. Currency with compliance is one of the fastest growing challenges as compliance and regulation is becoming so dynamic. NCC’s is due to launch a service to help organizations keep ahead of this through a new Regulatory challenge.

Is there an anecdote you can share when it comes to data availability and compliance issues in relation to SaaS applications?

2 examples from both an impact and regulatory perspective (Anonymize):

Healthcare example – After transitioning to a SaaS platform for patient records, they were faced with unexpected downtime due to a provider’s update, hindering access to patient records and raising HIPAA compliance issues. An emergency situation revealed the risk of operating without vital information. This led to enhance contingency planning, enforce stricter SLAs and ensuring vendor compliance with healthcare regulations. The incident emphasized the importance of balancing the advantages of SaaS with the need for diligent oversight on data availability and regulatory compliance.

Banking Example – Financial institutions are required by regulators to demonstrate continuity and resilience of their services. This has been an interesting space with SaaS services which can offer considerable benefits to financial organizations, especially the new Challenge Banks. An issue is that many of the SaaS services do not have the business service length and commercial strength as traditional banking software vendors. A solution that has become the go to is SaaS Software Escrow. This allows banks to enter into tripartite contractual agreements whereby SaaS vendors are obliged to hold versions of their applications in Escrow. This means IF the SaaS vendor gores bust or is compromised the Bank has the right to deploy a copy of that SaaS solution for their own business continuity purposes. This does require the SaaS providers solutions to be mature enough and compliant with Cloud Platform vendor architectures to be backed up in a way that the snapshots can easily be re-deployed to a new Cloud Tenant.

Should enterprises reconsider the trustworthiness of SaaS applications?

This is critical, they should assess SaaS applications’ trustworthiness by balancing benefits against data security, privacy, and compliance risks as already outlined. Adopting a cautious approach involves thorough vetting of providers for security and compliance, regular application assessments, risk management, and ensuring data sovereignty. Security practices, including encryption and audits, along with clear SLAs, employee training, and vendor management, are crucial. This strategy enables leveraging SaaS advantages while minimizing risks, without inherently distrusting these solutions.

Is there SaaS contract language that should raise red flags? What should organizations pay attention to?

This is a subject with considerable depth, but to hold it at a outline level, watch for vague SLAs, limited liability clauses, ambiguous data ownership, automatic renewals, strict termination policies, unclear compliance standards, data handling concerns, subcontractor policies, unfavorable dispute resolution terms and unilateral changes to services or terms. Ensure contracts clearly state data ownership, specify compliance with regulations, and detail data protection measures. Always negotiate terms, seek legal advice, and understand exit strategies to protect your interests and minimize risks.

What role should security play in the procurement process for SaaS solutions because of these concerns?

Security is a key factor in SaaS procurement, ensuring vendors meet high standards for data protection and compliance. This involves checking for organizational compliance such as recognized security certifications (e.g., ISO 27001, SOC 2), encryption practices, and adherence to regulations (e.g., GDPR, HIPAA). Assess vendors’ policies on data handling, incident response, data regionalization and privacy. Evaluate SLAs for availability and security metrics, scrutinize the vendor’s security culture and practices, including third-party audits and confirm features like multi-factor authentication and data recovery. Regular (ideally real time) security assessments (pen testing) should ensure ongoing compliance, safeguarding data and minimizing risks. For high risk SaaS solutions, vendors may be subjected to a Red Teaming exercise for robustness.

Are there other implications for security you would like to add?

Beyond the direct implications already discussed, integrating security in SaaS procurement which can be a back door for Cloud Shadow IT where business units may have Credit Card capacity to enable ‘Credit Card Cloud’ funded services outside of conventional procurement processes. This strengthens supply chain security, ensures regulatory compliance, enhances adaptability to cyber threats and supports business continuity. It also builds customer trust, protects the brand and offers a competitive edge. This approach not only mitigates risks of data breaches but also positions security as a strategic asset for organizational success, covering aspects from compliance and threat resilience to reputation management and competitive differentiation