SaaS, Security, Privacy and Compliance

If your target market is the enterprise for your SaaS offering it is highly likely you will need to deal with issues surrounding security, privacy and compliance. These issues will likely need to be addressed in the sales process and likely during implementation.

All three of these items are typically lumped together, but in fact are three different issues so let's try to untangle them.

Security is typically related to, well security. Seems obvious right? In most instances this is referencing mitigations against attack vectors that would put data at risk. This last part of this sentence is the crucial phrase. Clients, especially enterprise clients, are taking some level of risk by passing and/or hosting data at a 3rd party. This can be a significant barrier for adaption of SaaS technologies for many enterprise organizations. 

Enterprise clients are looking to ensure that there is proper mitigation in place for attack vectors related to an organizations infrastructure as well as the software itself. There will likely be some sort of Q & A which can be informal conversations, or formal artifact. Typically areas of questions can be broken out into physical and logical security. The physical security questions will likely be focused on access to machines, data centers, etc. The logical security questions will likely be focused on things such as protection for the edge of your network, controls between tiers, and data segmentation between clients, cross site scripting, SQL injections, etc.

Privacy is a different matter entirely. There is obviously a connection; data that is stolen is clearly no longer private, but data obtained through a breach is a security matter more than a privacy matter. Issues of privacy are primarily related to applications that handle some flavor of end user data (HR, CRM, web 2.0 applications, anything related to health care, etc) as well as how back-ups are handled. Clients /prospects are likely going to question what compensating controls are in place to ensure that an end user can control how their data is used, how end users are informed about data is used, and what mechanisms are in place to enforce those data control / access policies.

Compliance can be broken down into two distinct sets of compliance questions: one related to any / all regulatory oversight a client may be subjected to and therefore any vendor must comply with (the usual suspects include HIPPA, SOX, GLB, etc). 

Another category of compliance may be focused specifically on your organization. This may include such things as employee screening and training as well as internal controls and policies. There are some specific certifications an organization can seek to provide some assurances to prospects and clients, SAS-70 is one type certification, however these types of certifications can be costly and time consuming for a small or medium SaaS organization.

As organizations become more educated around the benefits of going with a SaaS solution the market grows, however that education comes with a price. Organizations are also understanding the risks associated with SaaS solutions. If your organization is focused on an enterprise space you should be prepared to address each of these issues.