How to Vet a Cloud-Based SaaS Vendor

A Google search of “top cloud-based SaaS vendors” pulls in a whopping 14,300,000 results including a variety of aggregated vendor lists. I know that conducting an RFP process is always tough, but for CIOs needing to invest in a cloud-based solution there’s a lot on the line. Of course security is the topic du jour, but how do you vet a vendor’s security history and policies, and what else should you address above and beyond security?

The following reference guide covers a variety of questions CIOs should ask before hiring a cloud-based Software-as-a-Service vendor.

BUSINESS VIABILITY QUESTIONS

These questions get to the competency of a company and will help ensure you’re not dealing with guys working out of their garage. It’s important to confirm that any potential partner of yours will not only continue to exist but also protect you against any loss of data.

• Who are your top three customers?
• What are you sales?
• Are you profitable?
• How many customers do you have currently?
• How many full-time employees do you have?
• Do you have the right kind of business liability insurance?

THE MILLION TERABYTE QUESTION

Once you feel confident the SaaS vendor is a viable candidate, it’s time to talk security. The first security-related question any CIO should ask a potential Cloud SaaS partner is:

Have you been hacked?

If the answer is yes, you’ll want to understand how they handled the incident management. Ask them:

• How did you respond to the breach?
• What was the timing of your response?
• How and when did you alert customers?
• Have you conducted a third-party audit since the attack?
• Did you fix all areas of vulnerability found by the audit? If not, why?
• Have you revisited your security approach?
• What have you done to prevent another hack?

If an audit has been conducted, you are within your right to ask for a copy of it. If the audit results don’t reveal any other customers’ secrets, and the results are owned by the vendor, they should not have a problem delivering a copy to you. Look at the results of the audit, the scope of what was investigated, what the hackers were able to access versus not access, what was ruled as the cause of the breach, and verify that a follow-up audit was conducted to validate that the issues found were fixed.

If the answer is no, find out:

• How would you identify if you were hacked?
• What would you do next if you were hacked?
• How do you limit infrastructure sensitive information, such as SSL keys and passwords, within your company?
• How do you provide and retract that information as necessary?
• Can you remote wipe?

The questions above illuminate if the vendor has thought through worst case scenarios. They indicate if automatic detection triggers are in place and they call out the importance the vendor places on security driven capabilities.

NETWORK SECURITY POLICY QUESTIONS

Yes, security is important, but how important is it to your line of business? The answer will vary by vertical. If you’re in a high-risk industry such as finance or media and entertainment, you’ll need a deeper understanding of a vendor’s security policies. These questions will help shed insight on the vendor’s technical and human processes and everything network related. They also cover the bases on external threats, the scope of a vendor’s content access and allow you to understand if the vendor uses a data center or an application within the data center.

• What are your IT policies for internal software and support teams? For example:
  • Password policies
  • Screensaver policies
  • USB policies
  • WiFi policies
• What are your server backup policies?
• How many total people would have access to my content, and what are their roles?
• How often do you conduct an audit?
• Is anti-virus software installed on every Windows client and server?
• Do you use infrastructure monitoring solutions to check against a baseline and alert you to changes?
• Describe your software development lifecycle.
• Do you have automatic code security analysis software in place?

If your company deals with valuable content you’ll want to conduct your own audit of the vendor’s network and operations to confirm it’s as impenetrable as you need it to be.

PRODUCT ROADMAP QUESTIONS

You may think these are questions best asked once you’ve already engaged a SaaS provider, but I encourage you to cover these three topics during the RFP process:

1. What is your product roadmap?
2. What is the product management process?
3. How do we (the customer) influence the process?

Uncovering the answers to these questions before you hire a vendor lets you see what the vendor is building and where they’re headed. The responses will point out future use cases and problems they may solve. Finally, you’ll be able to identify any patterns between what the vendor is doing internally or what challenges they are looking to address and how all of that fits with your company’s future.

There are plenty of other questions to ask a potential SaaS vendor, but starting with these categories will allow you to weed out the proverbial wheat from the chaff.

Jason Shah
CTO

Jason Shah, a “Flyer” since 2010, is responsible for cutting-edge product development and engineering for the enterprise software company. His duties include overseeing all elements of product development, platform and integration engineering, platform security, customer delivery, and product marketing.