As more companies move to cloud-based solutions like SaaS (software as a service), regulators and auditors are also sharpening their requirements. "What we are seeing is an increased number of our corporate clients asking us for our own IT audits, which they, in turn, insert into their enterprise audit papers that they show auditors and regulators," said one SaaS manager.
This places more pressure on SaaS providers, which still do not consistently perform audits, and often will admit that when they do, it is usually at the request of a prospect before the prospect signs with them.
Should enterprise IT and its regulators be concerned? The answer is fast changing to "yes."
This means that now is the time for SaaS providers to get their governance in order.
Here are five questions that SaaS providers can soon expect to hear from clients and prospects:
#1 Can you provide me with an IT security audit?
Clients and prospects will want to know what your physical facility and IT security audit results have been, in addition to the kinds of security measures that you employ on a day to day basis. They will expect that your security measures are best-in-class, and that you also have data on internal and external penetration testing.
#2 What are your data practices?
How often do you back up data? Where do you store it? If you are using multi-tenant systems on a single server, how can a client be assured that its data (and systems) remain segregated from the systems and data of others that are also running on the same server? Can a client authorize its own security permissions for its data, down to the level of a single individual within the company or at a business partner's?
#3 How will you protect my intellectual property?
You will get clients that will want to develop custom applications or reports for their business alone. In some cases, the client might even develop it on your cloud. In other cases, the client might retain your services to develop a specification defined by the client into a finished application. The question is this: whose property does the custom application become, and who has the right to distribute it?
One SaaS provider takes the position that all custom reports it delivers (even if individual clients pay for their development) belong to the provider—and that the provider is free to repurpose the reports for others. Another SaaS provider obtains up-front funding from the client for a custom application, and then reimburses the client for the initial funding as the provider sells the solution to other clients. In both cases, the intellectual property rights are lost to the client—but there are some clients that won't accept these conditions.
If you are a SaaS provider, it's important to understand the industry verticals you serve and how individuals in these industry verticals feel about intellectual property.
#4 What are your standards of performance?
I know of only one SaaS provider that actually penalizes itself in the form of "credits" toward the next month's bill it if the provider fails to meet an uptime SLA (service level agreement). The majority of SaaS companies I have spoken with have internal SLAs—but they don't issue them to their customers. As risk management assumes a larger role in IT governance, corporate IT managers are going to start asking their SaaS partners for SLAs with "teeth" in them that include financial penalties.
#5 What kind of disaster recovery and business continuation plan do you have?The recent spate of global natural disasters has nearly every company and their regulators and auditors focused on DR and BC. They will expect their SaaS providers to do the same. SaaS providers that own and control their own data centers are in a strong position. SaaS providers that contract with third-party data centers (where the end client has no direct relationship with the third-party data center) are riskier. For instance, whose liability is it if the third-party data center fails? Do you as a SaaS provider indemnify your end clients? It's an important question to know the answer to—because your clients are going to be asking it.
Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President of Product Research and Software Development for Summit Information Systems, a computer software company; and Vice President of Strategic Planning and Technology at FSI International, a multinational manufacturing company in the semiconductor industry. Mary is a keynote speaker and has more than 1,000 articles, research studies, and technology publications in print.