A cloud application provider should be able to offer excellent security and data privacy better than its customers can do on their own, and at no additional cost. Processes and policies should encompass physical, network, application, and data-level security, as well as full backup and disaster recovery. The provider should be compliant with security-oriented laws and auditing programs, including SOC 1 Report on Controls over Financial Reporting (SSAE 16), (formerly known as SAS70 Type II), and SOC 2 Report on Controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy; both developed and administered by the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA) for use by practitioners in the performance of trust services engagements.
Reputable SaaS providers are proving that SaaS can be done at least as securely as most enterprise implementations, and in some cases more securely. For example, at Locus, direct access to the database is limited to a select set of people on Locus’ operations staff. A typical on-premises ERP implementation would grant this access to a much wider group, creating a security challenge. SaaS providers must take a holistic approach to security, ranging from technical safety guards such as encryption to understanding data privacy laws and compliance, and building those safety guards into every product and process.
Locus has adopted the following SOC 2 principles and related criteria:
- Security. The system is protected against unauthorized access (both physical and logical).
- Availability. The system is available for operation and use as committed to or agreed upon.
- Processing integrity. System processing is complete, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed to or agreed upon.
- Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
It should be the responsibility of CIOs to conduct due diligence on SaaS providers. Go in and see what they’re doing around data security and privacy.
No one should enter a relationship without thoroughly vetting the provider’s capabilities. Providers that won’t allow you a thorough examination, claiming all kinds of reasons, are the ones to avoid.