Skip to content

Your Security Obligations Using SaaS Apps

Many small business owners I talk to believe that if they put their data in the Cloud, that absolves their cybersecurity obligations for that data. They reason that since they no longer control their data, that responsibility falls on, say, a Software as a Service Provider.

That is only partially true.

You will have certain obligations for securing your data. Beyond securing your internal network to access your data and software in the SaaS provider's cloud, you will probably have to configure the SaaS app itself. From a security standpoint, that means configuring settings within the software such as Least Privilege, Complex Passwords, and Multi-factor Authentication.

Exactly what security measures will be your responsibility and those of the SaaS provider will be in the Agreement(s) you sign. Be sure your company can handle those obligations. If not, you'll need to upgrade your capabilities or negotiate changes in the agreements.

You must also define data breach reporting requirements. Who will be responsible for reporting breaches to YOUR customers and what will be the timeframe for reporting them?

At the least, you want to be notified within the local, state and / or federal timeframes you might be subject to. If your jurisdiction requires reporting breaches within 72 hours of discovery, you want the agreement to state that the SaaS provider must report breaches to you within 72 hours. Note: Be aware of international data regulations if you do business in countries outside the U.S.

Then, you need to establish who reports the breaches to your customers -- you or the provider. You will also want to determine who reports breaches to law enforcement agencies you might be required to report to.

Your Acceptable Use, Remote Access and Security policies must still be enforced, as well, since transferring your data to the Cloud  requires maintaining a secure in-house network to access it.

In essence, you should be responsible for securing what you control, while your SaaS provider takes responsibility for what it controls. 

So, don't gloss over the security responsibilities in your agreement. That's a key component in choosing a SaaS provider.

For help selecting your next SaaS solution or other products or services with a Vendor Risk Assessment, contact me at 302-537-4198, ericm@edminfopro.com or on our Contact form.
 

You can also request an online meeting.