There’s a lot of advantages with Software-as-a-Service (SaaS), or what’s also called Cloud-based software products. As a customer, you’ll get access to fast, stable, innovative and cost-efficient technology and application infrastructure. Many organizations acknowledge these benefits. That’s why SaaS have become the preferred delivery model in many areas. But as we all know, there’s usually also a flipside to the coin, that needs to be considered.
TL;DRWith SaaS solutions, data security responsibility is shared between vendor and customer, making it critical to evaluate a provider's security practices before signing up. Unlike on-premise setups where you control everything, cloud-based software means your sensitive financial data lives in your vendor's infrastructure, so due diligence on their security posture is essential.
When it comes to SaaS, the circumstances related to data security might easily be that flipside, and therefore it’s a very important factor to investigate.
The question is: “Have you done a thorough preparatory work, when it comes to evaluating your SaaS providers’ approach to data security?”
Most of you are probably already aware of what cloud and on-premise stands for, respectively. But in order to further set the scene, I’ll briefly outline the differences between the two delivery models. In a cloud-based approach, software and data is provided off-site. On the contrary, when we talk on-premise, the whole setup with hardware and servers needed to run applications and store data is housed by yourself – hence the name, on-premise. The main advantage with the cloud approach, is that it’s more flexible and cost efficient. As a business, you don’t need to invest in the necessary hardware or software, that’s needed to run applications. Also, you don’t need to worry about maintenance and updates of the respective software products. However, you sacrifice the ability to stay in full control with the approach to data security.
When we’re talking SaaS, you and your vendor share the responsibility for data security – the vendor takes care of everything related to the underlying infrastructure, and you’re responsible for proper, secure and safe usage of the product.
The question is: “Can you trust that your SaaS provider is serious about his part of the job?”
I’ve got 3 tips lined up for you, when it comes to security and SaaS solutions. They’re relevant both if you’re looking for new software and are out analyzing the market, but also if you consider auditing your existing providers. By the way, that’s a good thing to do from time to time.
All right, here we go:
The first tip is, in my opinion, the most important. It’s about trust.
The supply of SaaS based solutions is massive. You’ve got plenty of options. As an example, within our area of expertise, Expense Management and solutions for managing travel expenses, there’s many options to choose from nowadays. Fact is, that a large part of the responsibility for data security lies with the software vendor, so you need to be careful, when you choose who to work with.
You’ll need to look for vendors, who’s offering solid control with user rights and data access in the solution and, if possible, it’s also a plus if the vendor can offer data encryption. It’s also important that you ask where and how data is stored. Is data kept domestically, in EU, outside of EU or in a basement somewhere? What characterizes the server setup and the security around this?
Also, you’ll need to check how the process related to backup and data retrieval works.
Also remember, that it isn’t without cost for a SaaS provider, to establish and maintain a strong security setup with well documented processes. Therefore, I’ll advise you to think twice before you go and choose the cheapest solution on your shortlist – it can end up as an expensive affair in the long run!
This tip is related to your part of the job – in other words, it’s about the appropriate safe use of the SaaS products. You’ll have to formulate and implement a clear policy and a ruleset for the usage of cloud-based software.
Ideally, this policy must both address the users and the decision makers, that buys software. It’ll have to be a ruleset, that defines what type of employees that’ll be granted access to the respective tools, and what access levels the various employees should be granted. Also, it must specify, how the products can be accessed – i.e. through which devices.
Also, a policy like this, should be linked to the way your business educates the employees in the correct behavior related to the use of internet-based software solutions. For example, how does the employees protect themselves, their identities, usernames and passwords in the best possible way?
Perhaps you’re already using SaaS products from multiple respected vendors with strong security measures. But at the same time, perhaps your application landscape has become so complex, that it’ll now make sense to invest in your own security layer.
This tip obviously comes in close connection with tip number 2, because there’s solutions in the market, that’ll help you manage your part of the security task. However, it’s a good idea to have the framework with rules and policies in place (according to tip number 2) before you begin to look for at tool, that’ll help you enforce them. Security breaches can happen in a lot of different ways, for example through inappropriate sharing of data, theft (like employees stealing data), compromised user accounts due to poor password strengths, excessive user permissions etc. These are the kinds of breaches, that you’ll need to deal with.
The point is, that when you implement rules for the usage of your organizations cloud-based tools, then you’ll also need to make sure, that your employees comply with the rules. And this can be a challenge, if the landscape has grown large and complex. There’re quite a few solutions out there to assist you with this, and for a start, you can check out what some of the big players, like McAfee and RSI, has on offer.
As I touched upon earlier in this blog post, you and your vendor have a shared responsibility for data security, when it comes to SaaS solutions. In my opinion, this is important to remember. And that’s where I’m going with these 3 tips. So, no matter how careful your own organization might be around SaaS security, it’s has no impact, if you’ve chosen a vendor, who isn’t up to his part of the task. And the other way around, of course.
My business, Acubiz, is a well-established supplier of cloud-based software for managing employee expenses and travel expenses. We’re serious about our part of the job related to data security. Very serious indeed. It’s an important component in our product strategy, because we believe, that a strong data security setup serves the purpose of protecting the investment, that our customers have made in our service.
Remember, you’re allowed to place demands on your vendors. That’s how it should be in a relationship of trust.
The question is: “Do you trust your current SaaS vendors?”
Frequently Asked Questions
Who is responsible for data security when using a SaaS solution?
With SaaS, security responsibility is split. The vendor is responsible for the underlying infrastructure, servers, and platform security. The customer is responsible for how the software is used: access controls, user management, and secure operational practices. Understanding this division is critical before selecting any cloud-based software.
What is the difference between cloud-based and on-premise software for data security?
On-premise software means your company owns and controls all hardware, servers, and data storage. Cloud-based software is hosted by the vendor, giving you less direct control over security but more flexibility and lower infrastructure costs. The trade-off is that you must trust your vendor to protect the infrastructure on your behalf.
What should you check when evaluating a SaaS vendor's data security?
Key areas to investigate include their security certifications, data storage locations, encryption standards, incident response procedures, and track record. You should also review their data processing agreements and confirm they comply with relevant regulations such as GDPR.
Are cloud-based finance solutions actually secure for sensitive company data?
Reputable SaaS vendors invest heavily in security because it is core to their business. The question is not whether cloud is inherently less secure than on-premise, but whether your specific vendor takes their security responsibilities seriously. Asking the right questions and verifying certifications is the way to find out.