List of Security and Operational Questions to Ask A SaaS Provider Before Signing Up

How to evaluate SaaS Provider?

After you have decided that to adopt cloud computing for your business, the next step is to look for a cloud services provider, and like many companies, you will be looking for a SaaS Provider. These days you hear a lot about SaaS applications. SaaS stands for Software as a Service. Every company uses SaaS right now for something or the other, and the numbers are growing every day.

That being said, moving from on-premise software to SaaS can be a very confusing process. To top it all, vendor evaluations can be a challenging task as well as the fundamentals of SaaS are different. How can you ensure that your SaaS provider is taking care of your security, operations, and providing you with the best possible service? It is crucial to ask the right questions to your SaaS provider to gather information. That is the key to selecting the right solution from the right vendor.

What security and operational questions should you ask a SaaS provider before choosing them?

1. How will you handle the onboarding and offboarding of my users?

When you hire employees in your company, a part of the onboarding process involves giving them access to the necessary apps. Offboarding involves closing their access to these apps when they leave the company. If the SaaS provider’s answer includes any hint of manual work or sending them .csv files at regular intervals, then that is a big no. That is because it adds added cost and can increase risks.

The right follow-up question over here will be asking your SaaS provider if they are providing support for provisioning protocol like SCIM (System for Cross-domain Identity Management)? SCIM allows automation and identity information provisioning across cloud applications, thereby making your onboarding and offboarding processes much easier.

In case, the SaaS provider does not provide SCIM support, ask them if they provide a user management API, which enables you to automate management. Suppose their answer to this involves a CSV file, that gives you reason enough to cross that SaaS provider off your list.

2. Do you provide SSO and associated security?

SSO means single sign-on. In short, it is an authentication mechanism in which a user can log in with the same ID and password to many related, yet independent software systems. Why is this necessary? There have been enough technological and cybersecurity advancements that have helped reduce the need for separate credentials for each service.

Many vendors do not provide you with an SSO, and most charge additional money for enabling it. The latter is fair since it is their service. But why is having an SSO necessary apart from the obvious user experience reason? Security. Having an SSO puts you in control. It enables you to enforce your policies like multi-factor authentication and conditional access across all the applications. Furthermore, not having SSO increases operations costs. If they are not providing you with SSO, cross them off the list or ask them when they will provide it and make it a part of the contract.

3. If you are not providing SSO, how are the passwords stored and protected?

If you are still leaning towards the SaaS provider even though they do not provide SSO, you might want to ask them how they store and protect passwords before coming to a decision. With SSO, you manage your security, but with local accounts and passwords, you do not. You must know details of how your account details are stored and protected.

4. What are the protection mechanisms you have employed in your data centers?

You do not want to compromise on your security or data in any way in a data breach. Ask your SaaS provider on details of the mechanisms and techniques they use to secure their data centers. An excellent answer to this question must include:

a) A secure, SAS70-certified Tier 4 data center.

b) Firewalls.

c) Intrusion detection systems.

d) SSL and application security.

e) 24×7 security monitoring.

f) Third-party certifications for security practices.

5. What are the various compliance standards you follow?

Ensuring that your SaaS provider follows different compliance standards just tells you how serious they are about security and improving it. Make sure your SaaS provider follows standards like GDPR, PCI, APRA, and so on. 

6. How do you help us in terms of support and how good is it?

Support is essential for any kind of service provider, ever. Often, the support of a provider is not that great, so it is essential to ask questions. Make sure you have flexible support options like self-service, phone, email, Twitter, etc. Ask them what are their support team’s timings, are they 24×7 or only during business hours? It does not matter if those timings match your business needs. Questions also need to be asked on whether the SaaS provider is providing you with auditing and diagnostic logs from your user tenants. You do not always want to be running to support for every little thing.

It is a must that the SaaS provider should provide you with security audit logs that show you the user login and activities. If they do not provide this, cross them off your list immediately.

Make sure that your SLA also includes things like sending unlimited tickets to support at no additional cost. 

Finally, find out about the support team, their training, and qualifications. You do not want yourself to be dealing with a mediocre support team to add to your problems.

7. How do you ensure high performance and continuity in availability?

The more specific questions to ask here would be about their uptime/availability statistics and how they protect their services from disasters (earthquake, fire, etc.).

A good SaaS provider should have a 99.5% uptime. Make sure your SaaS provider has backup servers so that there is no disruption in your work in case their hardware fails, or a disaster (earthquake, tsunami, etc.) happens. Finally, make sure you get a refund if your SLA is not met. 

8. How often do you upgrade your application?

You want to be with a SaaS solution that has the latest technologies and security patches. Ask your SaaS provider how frequently they roll out updates in their enhancement cycles. Make sure to ask them how disruptive these updates can be for your work, just in case. And lastly, you are going to work with a SaaS “provider.” They need to take care of your feedback too. Ask them how they incorporate customer feedback and how it gets integrated into their product’s roadmap.

9. How intuitive and user-friendly is your SaaS solution?

SaaS providers are, in the end, salesmen. They will tell you tall tales about how their SaaS solution is good and so on. Rule number 1; ask for a demo and test it yourself. If possible, ask your vendor for a free trial. The point here is you want a SaaS solution that is easy to use and requires minimal training.

10.  What happens to my data if I chose to stop taking your services?

Two questions can be asked over here.

a) Will you export my data if I switch providers or if you close your business?

The point here is you own your data. Your SLA should make this part crystal-clear. The last thing you want is your SaaS provider holding you hostage if you chose to stop taking their services. Furthermore, you will want to quickly recover your data if the SaaS vendor goes out of business.

b) What happens to my data when I delete it from your app?

Here is the tricky part. Some providers do not delete your data immediately. Some companies store data indefinitely on their servers, while others erase the data once you delete it on your end. If privacy concerns you on this subject, ask them and find out how often they delete the data on their servers or do they even delete it?

The SaaS provider should guarantee that they will not share or sell your data to a third-party in your agreement. Furthermore, you (or your authorized representatives only) will have full access to viewing and transferring data and downloading it in a wide array of formats.

11.  How flexible is your contract, and what additional costs will I incur, if at all?

Your contract should not just benefit the vendor; it must benefit you too. Ask the SaaS provider about their subscription mechanism and if you can pay as you go. Find out any discounts you may be eligible for in cases of long-term commitments and make sure you can cancel service any time without any penalties or additional costs.

12.  Can I speak to any of your previous clients?

Asking an existing user will give you more confidence to make your final decision in choosing a SaaS provider. Ask the other clients how satisfied they are with the services and in what aspects they are dissatisfied with.

13.  Have you ever had a security breach?

This is very important and tells you a lot about your SaaS provider. Ask them about breaches that the vendor has experienced to get insight into its security levels.

This also gives you the means to find out what the vendor did to rectify it and the measures it has taken to prevent similar events from happening again. Research into it yourself and find out the facts to cross-check what they said. If their answer shows transparency and honesty, I think you may have found your SaaS provider.