The Importance of Data Security in the Modern World of SaaS
Last month we announced our successful completion of the Service Organization Control (SOC) 2 Type 2 audit, earning the company SOC 2 Type 2 certification - a certification developed by the American Institute of Certified Public Accountants (AICPA) that evaluates and reports on the effectiveness of a service organization’s data security controls relevant to the safe handling of customer data. While we have always employed best-in-class security and data protection, the AICPA SOC 2 Type 2 certification is independent validation that assures customers that we have implemented processes that are effective in protecting all data managed in the cloud, implemented vendor management programs, as well as corporate governance and risk management procedures.We sat down with Robert Hocking who is the Director of Site Reliability Engineering at Centage and responsible for Quality Assurance and DevOps as well as the recent SOC 2 Type 2 certification process and asked him about the importance of data security and the processes, controls and safeguards that technology organizations - especially SaaS organizations - of today need to adopt and why.
Why is data security and compliance important for SaaS companies?
Both security and compliance for SaaS organizations like ours are critically important. For one, it gives us independent feedback and validation that our policies and procedures are working at keeping our customers data safe. It also shows our customers and potential customers that we have the security and compliance in place so they can be comfortable and fully confident that we will be able to protect their most sensitive data. It shows us where holes exist, giving us a chance to shore up our practices.
What does it mean for customers who buy technology products and services - particularly SaaS products?
These accreditations give our customers peace of mind in that an independent 3rd party has validated the policies and procedures we have in place to ensure that their data is safe and secure.
What are the industry best practices when it comes to data security?
There are many best practices when it comes to data security, as you can imagine. Here are several of the most critical ones that we follow here at Centage:
- Keep everything patched and updated all the time. This means your systems will be less vulnerable to bad actors.
- Encrypt everything, everywhere. By encrypting everything you lower your risk of sensitive data being leaking if a breach occurs,
- Enable a model of “least privileged” access. This model gives access to your systems to those who absolutely need it. For example, contrary to popular belief not everyone needs access to production systems. Only grant access to those who have a business need for it, and revoke their access once their work is done.
- Log everything. It’s important to log all activities (like password reset requests, user access attempts) and then check those logs frequently for abnormalities. An abnormality may be multiple user access attempts coming from a certain IP or geographical region - which could signal a security issue.
- Keep up to date on emerging threats. It’s also important to stay on top of emerging technology threats like the SolarWinds breach. To do this, subscribe to CISA alerts through the National Cyber Awareness System, continually engage with your peers, and read technical resources, basically arm yourself with all the knowledge you can. The internet can be a scary place if you’re uninformed.
What are data security best practices that those looking to purchase a SaaS solution should look for in a vendor?
While there are many qualities potential buyers of any SaaS solution should look for, here are a few tips. Once you have your model, establish a risk framework and only work with those vendors who fit the risk parameters you have set. First, be sure you are working with trusted vendors that will openly discuss their security practices with you. Second, look for vendors with 3rd party accreditations - for example, the AICPA’s SOC compliance. And lastly, lean on your peers - reach out to others or join groups of others looking to purchase a SaaS solution and see what their organization’s requirements are, what certifications they are looking at, etc.
Keep reading...
Interviews, tips, guides, industry best practices, and news.