Ensuring Success with SaaS

One of the things that has changed the most in the last few years is the introduction of SaaS solutions. What is a SaaS solution? A SaaS solution is a system that is completely managed by a vendor who is responsible for updates, maintenance, and security of an application that is hosted outside of your company. The concept is awesome. And according to the SaaS sales rep, all you really need to do is swipe a card and your organization will be instantly productive. This creates the perception that you can skip all the standard processes with new applications.

To be truthful, there are some SaaS solutions that have use cases that are really that simple. Other solutions have more complex use cases and requirements. For example, tools like Salesforce, Coupa, Workday, and ServiceNow require additional analysis. Security, support procedures, and SLAs all have to be addressed. And if you want it to talk to other systems, there is even more work.

During one of my projects, I had a program manager get frustrated with me about asking all these questions. She asked if I had a complete list of questions that she could prep the vendor with. I apologetically said no and started compiling a list to help with this project and future projects. After extensive reviews with corporate information security and all the different development teams, it was ratified an enterprise standard. Everyone had a list of questions that they could use to ensure the solution was a fit.

The questions were not meant as a rigid structure to approve a specific solution, but to facilitate a discussion around the benefit and consequences around picking a solution. No solution was ever perfect; but it was important that everyone understood deficiencies of the solution. The list of questions was divided into 7 parts that covered the lifecycle stages of a SaaS Solution.

During Product Selection, I was looking for key questions to be answered around authentication and authorization. Does the product support SSO and multi-factor authentication? How do you provision users in the system? How does it meet the security stands of the company? And does it have a way to integrate with applications outside of the solution?

After product selection, the next stage is Contracting. During this phase, questions are focused on what is being provided by the vendor and the expected quality of service. There should be questions around service level agreements and how to resolve problems. Questions around backups and disaster recovery should also be asked. And of course, it is important to make sure that there are environments (test environments) to test upgrades, new configurations, and integrations.

As the projects moves into Planning and Design, the following must be considered:

· Data protection of PII both in production and in test environments

· Methodology around integrations

· How emails are sent and from what domain?

· Method to provision users

· Integrating with security infrastructure like SSO, CASB, and logging

· Environment that training will be done

In the Configuration phase, the main concern is around the development environment matches production as much as possible. This means things like SSO needs to be enabled and along with all the security controls expected in production to be in place. By taking these steps while configuring in a non-production environment, the team can minimize the number of differences between production and test and reduce the number of challenges during deployment.

During Deployment, the focus is to establish a formal process to migrate between environments. This formal process includes source control of the configuration files, a backup/rollback procedure, and an install process. If possible, I like to make sure that there is some automated testing to ensure that the deployment was successful. Deployment processes need to be planned out and practiced before the first deployment. Establishing this process at the beginning is painful but the benefit of the process will be seen on every future release.

Once it is deployed in production, the SaaS solution is at the Run stage. There are critical steps that need to take place to maintain the solution. For example, one common need is to refresh the test environments with configuration and data from production. Also checking the logs on a routine basis is critical for maintaining availability and security of the application. Another important thing is having regular meetings with the SaaS provider on a regular basis to get updates on the product and to advocate for new features. The one item that is most commonly forgotten is planning to test upgrades. With SaaS solutions, you don’t get to choose when upgrades happen and some level of testing should always occur with each upgrade. Plan ahead to make sure resources are available based on the product release schedule.

The final stage of a SaaS solution Is Decommissioning. One of the benefits of a SaaS solution is that is pay as you go which means you can terminate the contract when you are done with the application. Make sure SSO is turned off so users cannot accidently log into the system. Get copies of all data that might be needed for regulatory, operational, and analytics. And most important ensure that all corporate data is terminated.

For my old company, this is just a subset of questions that we used when looking at a SaaS solution. Expect the list to be pretty long. However, not every solution requires answers to every questions. SaaS solutions vary a lot in complexity. For instance, a simple application like a survey tool require very few of these questions to be answered. A tool like Workday or Salesforce, requires every question and a few more. And there are applications in the middle like Slack or Office 365 that requires something more in between. The key is to tailor the questions to fit the complexity and the risk exposure of the solution.

SaaS solutions have a ton of benefits. They free IT of the hassles of managing an application. Business leaders can be empowered to manage aspects of the solution. I highly encourage the use of SaaS solutions. However, SaaS solutions still require due diligence to ensure that the SaaS product will meet expectations of the entire company (business, IT, & security.) Regardless of who purchases the solution, the analysis needs to get done by someone. And the best way to support them is to create an enterprise list to ensure the analysis gets done consistently.