Risks with SaaS
By acknowledging that there are risks with SaaS which must be considered and accounted for as part of any IT program, managers must
realize that SaaS concept is not necessarily any riskier than an in-house software implementation, although the technology does present special situations that should be addressed. By recognizing and dealing with the risks with SaaS up front, SaaS clients can implement successful and safe cloud-based solutions using SaaS vendors with good track records. Here we describe just a few of the top risks that accompany the adoption of SaaS.
Image Credit: Wikimedia Commons/Sam Johnston
Risk #1 Regulatory Risks
Companies that are subject to the Sarbanes Oxley rules must be careful that adequate controls are in place by SaaS vendors to satisfy regulatory requirements. Failure to do so can leave a company open to fines, lawsuits, and other penalties that can result.
Combating the regulatory risks usually involves getting a SAS 70 Type I or Type II audit report. A type I report documents the security practices of an SaaS provider that are intended to safeguard corporate data. The Type II actually tests the controls that are in place by SaaS companies.
A SAS 70 audit report that documents adequate security practices on the part of an SaaS company can usually satisfy reporting requirements under Sarbanes Oxley.
Risks #3-5: Data Access Risks
Because corporate software and data are stored and managed by a third party, risks with SaaS may involve unauthorized access and dissemination of data by unauthorized people or devices. Policies and procedures should be implemented by any SaaS customer that define the conditions that might require vendor access to company data and how that data will be managed.
The multi-tenant model used by SaaS providers may also create data access risks. As noted by the Open Web Application Security Project (OWASP), corporate data may become compromised among SaaS clients, presenting a situation much more difficult to identify and resolve than data access issues that are limited to the client, vendor relationship.
Another aspect of SaaS data security may involve the approach a company takes toward data collection and storage. For example a company may collect some information just because there is a place for it on a software screen. Companies should evaluate what data is actually necessary for them to accomplish their mission. Keeping data such as customer social security numbers and other private, identifiable information when it is not needed leaves the door open for unwarranted risk.
Risks #6: Operational Reliability
With SaaS, users are at the mercy of their service provider. This means that risks with SaaS can involve inadequate uptime performance, service degradation during vendor maintenance, inadequate disaster recovery capabilities, software quality issues and security procedures, all of which should be addressed during contract negotiations.
Risk #7: Vendor Viability
SaaS customers should not overlook one of the most significant risks with SaaS—service provider viability. SaaS customers depend on the existence of their providers for virtually every routine business operation, meaning that if an SaaS company is financially volatile or encounters civil or criminal legal complications, all that company's customers can potentially go down the drain.
While operational reliability issues can usually be addressed through contractual agreement, the effects of a failed SaaS partner are more difficult to mitigate. Many companies seek to create an escrow agreement that allows the customer to store backups of their software and data to guard against the danger of service provider failure.
The only problem with an escrow agreement is the downtime an SaaS customer faces while scrambling to put the servers and other infrastructure in place necessary to operate their software.
Perhaps the best way to deal with the SaaS provider survivability issue is to thoroughly investigate the provider's legal and financial standing prior to signing a deal.
Risk #8-9: Professional and Business Competence
When setting sail with an SaaS provider, a business depends on that company just as much as it would its own IT staff, only the customer has little control over the staff employed by SaaS vendors and the policies and procedure that are in place governing the business.
The ability of the SaaS company to adequately create and support their products can become a serious liability to any SaaS customer. Additionally, companies with incompetent customer service, billing, and technical support personnel can leave their customers severely handicapped in their daily operations.
Risk #10: Legal Risks
When implementing SaaS, the legal risks should be fully understood and addressed. For example, jurisdictional control over data transmitted across state lines or international boundaries must be understood. Similarly, when an SaaS client is found liable for damages resulting from the unavailability of corporate data, the compromise of client information, the dissemination of malware, etc., the degree of that liability can be passed on to the service provider should be clearly understood.
Risks with SaaS
Many of the risks with SaaS are similar to the risks companies faced with in house IT services, especially in scenarios where data passes outside the control of the corporate network. The bottom line is that with the proper contracts, policies, controls, and procedures in place, the risks that are associated with SaaS are easily managed.
"Cloud-10 Risks with SaaS", https://www.owasp.org/index.php/Cloud-10_Risks_with_SaaS