Feelling Secure with Software as a Service

Are you considering a move from on-premises software to an application delivered as an online service? It’s a decision many companies are making—and for good reason.

“Software as a service” (SaaS) solutions help you add new capabilities to your operations more quickly and cost effectively—reducing the time it takes for you to go live and realize business benefits. SaaS also eliminates a lot of headaches. Your service provider takes on responsibility for multilevel security, solution availability, around-the-clock monitoring, disaster recovery strategies, feature upgrades and other important tasks that can absorb a lot of time and resources.

But finding the right SaaS provider is critical and can make a real difference in how your SaaS application performs. To help you make a seamless, safe and productive move to an online, cloud-based service, use these questions to guide your decision making.

Sign up to receive Analyst Reports, Webinars & more Procure-to-Pay Content

1. How will my data be protected?

Most companies considering a move to SaaS have one overriding concern – and that’s the security of their new application and data. Many are surprised to discover, though, that with the right provider, a SaaS application and the data it manages may prove to be even more secure than a premisesbased solution. That’s especially true when you consider how complex and costly security is to address on your own.

Salaries for top security specialists are now approaching $400,000 a year in major metropolitan areas, thanks to soaring demand. As a result, many firms simply aren’t investing in the skills they need to assure they are protected end-to-end. A recent survey conducted by Information Systems Security Professionals and ESG shows that organizations are operating with critical talent gaps in application security, analysis, investigation skills – and more.

But top SaaS providers have a laser-like focus on security. They invest in it as a priority and consider it a major differentiator for their business. It is crucial, though, to ask lots of questions to ensure that the provider you choose is best in class and has the skilled resources and tools to keep your information secure.

What security measures protect the data center the provider will use to power your application and data? How will users be authenticated before they can access your application and your data? What measures will be taken to protect sensitive information during storage and transmission? Will the provider’s systems be monitored around the clock to detect attempts at security breaches? Are the provider’s security practices audited by an independent third party?

Here are a few of the many types of protections you should insist on:

• SSAE 16/ISAE compliance

• ISO 27001 and 27002 certification

• Multiple layers of defensive controls

— Next-generation firewalls with device filtering capabilities

— Intrusion detection systems that monitor for malicious activity and violations of security policies and protocols

— Transport-layer security (TLS) encryption

— Application-level security

— Database-level security

— Network-level security

— 24×7 security monitoring

• Rigorous, industry-standard user access controls

• Frequent patches and updates to protect against newly discovered vulnerabilities and emerging threats

• Regular audits by accredited third parties

• Continual investments in security-related initiatives

Moving to the Cloud Is a Worldwide Business Trend

“Cloud services are definitely shaking up the industry,” said Sid Nag, research vice president at Gartner. “At Gartner, we know of no vendor or service provider today whose business model offerings and revenue growth are not influenced by the increasing adoption of cloud-first strategies in organizations. What we see now is only the beginning, though. Through 2022, Gartner projects the market size and growth of the cloud services industry at nearly three time the growth of overall IT services.”

— Gartner, April 2019

2. What quality of service assurances does the provider offer?

Even the best new SaaS application will be worthless if it isn’t available when you need it. So evaluate SaaS providers based on the performance and availability of their solutions and the service-level guarantees they provide.

The best providers will be able to demonstrate documented uptime of at least 99.5 percent. They will host your application at a Tier 3 or Tier 4 data center with redundant components and redundant connectivity options. Their infrastructure will be designed from the ground up for seamless failover, with geographic separation among sites in the event of a natural disaster or other service-interrupting event that impacts an entire region. They also will continually monitor performance so potential problems can be identified and addressed before they escalate.

But verbal assurances aren’t enough. Insist on a service-level agreement (SLA) that details your expectations. Here are a few of the parameters you will want to ensure your SLA covers:

• The minimum level of uptime the provider guarantees

• How performance will be monitored

• Security standards that must be maintained

• Expected response times

• Where and how your data will be stored

• How often backups will be performed

• Guaranteed response times when you submit a trouble ticket

• Service escalation paths

• Compliance with industry-specific mandates important to your business, such as HIPAA or FedRAMP

• Confirmation that your data can never be sold to a third party and that you can get it back on demand

• The right to audit the service provider’s compliance with the terms of the SLA

3. Is the service available globally in the countries where I do business?

Do you have shared services centers or other operations in key markets around the globe? If so, you need a SaaS solution that is global as well. Make certain your provider’s capabilities align with your precise needs and that members of your team have the same secure access, availability and response times, wherever they are based.

4. What type of support does the service provider offer?

“Support” can mean almost anything, so probe to make certain you understand precisely what your SaaS vendor provides. What skills and certifications does the provider’s service team have? Are experts on call and accessible 24/7? Are selfservice tools available, including a readily accessible and comprehensive knowledge base? How easy—or hard—is it to submit a trouble ticket? What response times can you expect once you do?

5. How often are new features and upgrades introduced?

Does your SaaS provider practice agile software development? Will you benefit from rapid delivery of incremental updates and new features that help you perform at optimal levels? Or will you have to wait a year or more for new releases? Make certain your provider takes steps to keep you current and informed of where the solution is headed. Here are a few questions you to ask:

• Are updates made dynamically while systems are running so they can be incorporated without service disruption or downtime?

• How many times annually are updates introduced?

• How many of those updates include new features?

• Does the service provider publish a solution roadmap?

• Is there a way for you to suggest future enhancements that would benefit your business?

The Great Debate: Single Tenant or Multitenant

The SaaS environment your service provider offers will either be a single tenant architecture used by your business alone, or a multitenant architecture that you share with others. There is a great debate within the industry about which is best.

For many businesses, a multitenant SaaS solution can deliver significant benefits – as long as your corporate data is kept separate and is carefully protected. A multitenant solution can be faster and less expensive to scale, and you likely will benefit from significantly lower fees.

Other companies, though, prefer a single tenant solution with a private architecture devoted just to them. Since you have your own software instance, a single-tenant SaaS solution can be readily customized to accommodate your operations.

Ultimately either approach can be a smart choice if it aligns with your company’s priorities.

6. Will the SaaS application work seamlessly with on-premises systems?

More than likely, you will want your new SaaS application to interoperate with your ERP platform or other premises-based applications and/or databases. But you don’t want to get wrapped up in costly and time-consuming integration projects. Ask your provider whether the SaaS application you are considering is based on open standards and uses application programming interfaces (APIs) that make it easy to establish connectivity with your existing systems.

Make the Right Moves

When you are armed with the right questions and have selected the right partner, you will be ready to make a seamless transition to software as a service and realize all the business benefits it can deliver. You will be free from the headaches that come with owning and managing your own infrastructure and can turn your attention to strategic issues that benefit your business and its bottom line.

To Find Out More

If you would like to know more about best practices-based software that can reduce your risk of duplicate payments, contact apexanalytix at +1 800-284-4522.

About the Author

Walt Kristick, Senior VP of Applied & Advanced Technology and Partnerships, provides leadership of our Archimedes Center of Excellence team which provides predictive analytics, robotic process automation and cognitive services in support of apexanalytix clients, operations and software solutions. He also spearheads our Partnerships & Alliances efforts to expand our market presence and to introduce complimentary products and services that increase value for our clients.

Walt has a wide-ranging background in data management and analysis, infrastructure management, private and commercial application software development, business process reengineering and IT strategy. Walt joined apexanalytix from iQor, where he was Senior VP of Technology. Prior to iQor, Walt served as CIO at Receivables Management Services and as a Managing Director at Marsh. He was also an Advisory Consultant at several technology consulting firms. Walt holds a B.S. in business administration from Boston University and Master’s from Pennsylvania State University.

Ready to roar?

Fill out our contact form and we will be in touch shortly to discuss how we can help.