10 ways to manage your risk with Web applications

Web apps continue to grow in popularity, but companies have legitimate concerns about security and reliability. Here are some ways to address potential risks and make sure you choose the right vendor.

Web apps continue to grow in popularity, but companies have legitimate concerns about security and reliability. Here are some ways to address potential risks and make sure you choose the right vendor.

Web-based software and services have proven to be a trend with staying power. Combine flexibility, relatively low maintenance and fees, and rich functionality and it's easy to add up the benefits. Software as a service (SaaS), in particular, is playing out pretty well in today's economy, according to IDC, which predicts the sector will see a 36 to 40 percent growth in 2009.

Yet many organizations, especially at the enterprise level, worry about offloading corporate data to a third-party vendor. Will security risks increase? What happens when reliability begins to suffer? How can they access critical data/systems during an outage? These are valid questions, but many experts actually think that your data is safest with a credible third-party whose business in effect is (or should be) managing the security and reliability of data across many customers. After all, if a vendor screws up, it will lose revenue, customers, and market share in a heartbeat.

Still, due diligence is imperative for any SaaS implementation. Here are 10 risk management factors to consider when offering Web-based software to your employees.

Note: This article is also available as a PDF download.

1: Identify a low-penalty area of the business to serve as your first SaaS project

The first time you enter an arrangement with a vendor to host software and data for you, avoid outsourcing a highly visible area of your business. If HR is not strategic to profits, that might be one place to start. Save the high-stakes CRM project for later, when you have learned a few best practices.

2: Assess your risk

Before you can come up with metrics and other requirements for vendors, you need to determine exactly which business and IT priorities of the data/system you want to outsource and what will be the fallout of any sort of breach or data loss. How do your internal requirements for encryption, network security, privacy, disaster recovery, auditing, and monitoring align with the services provided by the vendors under consideration?

3: Choose vendors carefully

No duh, you say. Yet in this case, it may mean selecting vendors with a long track record of providing Web-based software and services. You may have to pay more for established vendors, but doing so will likely lower your risk. "We use only brand name, well-vetted services," says Josh Chernin, GM with Web Industries, a midsize manufacturing services provider. "We let someone else do the thinking (and risk) ahead of us. Currently, we are using Salesforce and Sharepoint."

4: Do a deep dive on your SaaS vendor's security infrastructure and approach

It's not out of the question to request a third-party audit of the company's security systems and policies. What security certifications does it hold? Is the company compliant with any relevant industry regulations, such as PCI DSS for credit card transactions? Gary Chen, an analyst with IDC, recommends the following checklist to start:

  • How and where data encryption is used (for instance, on backups as well?)
  • The quality of the network defenses in the data center
  • How authentication and secure connections are handled
  • The use of data loss protection (DLP) technology
  • The question of multi-tenancy, since you'll be sharing computing resources with other customers

5: Ask how your vendor handles disaster recovery

What protections will you have from your vendor in case of an outage due to system failure or natural disaster? Will you have offline access to the data? You can, for instance, ask your vendor if there's a way to periodically store data into an on-premise system just for that purpose.

6: Get it in writing

Involve business and IT colleagues, client references of the vendor, your legal department, and whomever else might be helpful to ensure that you have an airtight contract. The document should cover not only financial terms but included services, performance metrics, and reliability and security provisions. How much uptime do you need and what does the vendor agree to do if they miss it? This could come in the form of fees, credits, or other creative paybacks.

7: Get chummy with your vendors

It goes without saying that you want a collegial not an adversarial relationship with your SaaS vendor. After all, they're there to help your business grow and be more flexible, so think of them as a strategic business partner. Meet frequently to go over the metrics and to discuss how to improve experiences for your employees and external customers that may interface with the system. Now that you have freed up time of internal IT staff members who used to work on implementations and maintenance, dedicate at least one individual to managing this critical relationship.

8: Look out for new monitoring tools

Many businesses, as they grow in size, install system monitoring tools that keep an ever-present eye on networks, PCs, and applications for any abnormalities such as viruses, inappropriate access, or performance lags. Increasingly, such tools will include scanners that can also test Web applications for vulnerabilities. "This will be a huge area of growth in IT," says Anton Chuvakin, a security blogger and director of PCI Compliance Solutions at Qualys.

9: Consider the help of a security consultant

Unless security is an area of expertise in your group, an outside consultant can help make sure that you are asking all the right questions and not overlooking any important technical details. For instance, Fred Kreitzberg, an information security consultant in Seattle, suggests asking questions such as whether your vendor can support your e-discovery requirements and how authentication is handled.

10: Devise a PR and response strategy

Regardless of how vigilant you are in selecting and managing vendors, there is always the chance that a security breach or data loss will happen anyway. Rest assured: The media and angry customers will be coming to you, not your vendors. Put together a plan stating which employers will be on your response team and what actions should occur in what order. Make sure you have a capable media relations expert on hand to help work responsibly and cordially with media inquiries. Avoid the tendency to withhold information: Customers and other stakeholders will want answers -- and fast.