How To Recognize Key SaaS CRM Software Differences
Information Security Differences Among SaaS CRM Solutions
The introduction of CRM software as a service (SaaS) at the turn of the century was met with intrigue by the business value proposition and concern regarding the safeguarding of sensitive data over the wild, wild web by an outside organization. Several of the traditional on-premise CRM software manufacturers did their best to fuel this fear and further surrounded security concerns with FUD (fear, uncertainty and doubt).
Seven years later the security concern has diminished for most – not because it is any less of a concern but instead because many SaaS CRM vendors have demonstrated admirable security safeguards that go well beyond what most client organizations could achieve internally. Because information security is a rapidly evolving discipline managed with creative strategies and a plethora of new technology tools, few SaaS CRM vendors use similar strategies or defenses. These differences clearly translate to varying levels of information security protection by different SaaS CRM vendors. The primary areas where SaaS application vendors differ in their information security approaches include strategy, risk analysis, staffing, depth of defenses and independent certifications.
To some organizations, information security seems most focused on keeping out hackers. To more mature security conscience organizations, information security is about preserving the confidentiality, integrity and availability (CIA) of information. Confidentiality ensures that information is accessible only to those authorized. Integrity safeguards the accuracy and completeness of information and processing methods. Availability ensures that authorized users have access to the information when required. A short conversation with a potential SaaS vendor should permit you to determine their information security strategy, maturity and focus.
Security preparedness begins with risk analysis, security awareness and a company-wide culture which includes executive sponsorship, management commitment and specialized staffing. A thoughtful risk analysis should always precede a security strategy so that security measures are prioritized toward high risk and/or high impact events. It’s also useful to note that risk analysis exercises generally show that a failure in CIA is far more likely to be caused by a hardware malfunction, improperly applied change management procedure or internal human error then by a caffeine addicted teenage hacker working out of his parents basement from the other side of the world during the middle of the night. Again, to form your own opinion, talk with your SaaS provider and understand whether they believe service is more likely to be impaired by a broken router or badly behaved juvenile.
Security is a process, not a product or procedure. Security begins and ends with people. Information security is primarily a management issue rather than a technical issue. SaaS companies that get this often follow the risk analysis with an ISMS (Information Security Management System) which is a part of the overall management system. When speaking with a potential SaaS CRM or ERP provider, find out if they approach security as a process or a product and whether they have an ISMS or the equivalent.
Depth of defenses speaks to the rigors and intensity applied to enforcing security strategy. This is the area where layers of tools and products reinforce the strategy and this area varies greatly by SaaS companies. For example, does the SaaS CRM software company utilize simple packet filtering firewalls or deep packet inspection (DPI) firewalls? Do they simply use an intrusion detection system (IDS) or do they also use an intrusion prevention system (IPS)? Does the SaaS provider have competent security staff and resources who review logs, are alerted to unusual events, monitor an early warning system and perform periodic announced and unannounced internal audits? Are the security staff trained to isolate an intrusion and equipped with the forensic tools to successfully prosecute a violator? Few SaaS vendors measure up well to each of these scenarios.
A final difference among SaaS CRM vendors information security preparedness and assuredness’ comes from independent certifications. Simply put, some SaaS vendors complete information security audits and most do not. The most relevant information security audit is the ISO (International Standards Organization) 27001 certification. It deals specifically with information security in a hosting environment. Other audits may be obtained from recognized security consultancies who periodically perform vulnerability assessments (VA), penetration (PEN) tests and simulated attacks. Due to the changes in information security postures and the constantly evolving threats, security audits and certifications should be performed at least annually. I continue to be amazed to this day by the high number of SaaS CRM software providers who choose to ignore these valuable exercises.
Continue on to review SaaS CRM software delivery differences