Software as a Service (SaaS) is a delivery model in which applications are hosted at an outsourced data center, and sold to the end-user under a monthly subscription. With the physical security industry increasingly shifting to this approach in order to control costs and avoid obsolescence, it is crucial that buyers understand what factors to consider when looking for a SaaS provider.
The tremendous growth of new SaaS security and surveillance services in the past few years has made choosing the best solution tougher than ever, as buyers must sort through a blizzard of competing vendor claims. That said, SaaS has been around for long enough in the general IT market that a number of best practices have emerged for evaluating these hosted service offerings. I have distilled all the information down to seven requirements and applied them to the physical security context.
1. Audited Data Security Controls
Because data security is still reported as the No. 1 concern for CIOs with outsourced application services, it needs to be your No. 1 concern as well as the physical security SaaS end-user.
First and most importantly, this means you need to ensure that SaaS providers undergo regular third-party application security audits, and that they are willing to share those results with you in writing. There are a variety of standards that govern security audits, but one of the most common in the United States is SAS-70. Other standards include SysTrust, WebTrust or ISO 27001/2, depending on the application.
If a SaaS vendor has not bothered to have its system audited to at least one of these standards, then you are assuming far more risk than is reasonable. If your vendor cannot show you a current information audit statement, you should not trust them.
As part of your due diligence, make sure that the audit statement pertains to the SaaS provider's specific application, not just the hosting center. Unfortunately, it has become a common sleight-of-hand for new players to try to pass off their third-party hosting center's audits as their own. The two are very different things. Demand an audit statement for the specific application you will be using.
2. Track Record of High Availability
Right after information security, one of the top concerns among SaaS buyers is system availability, or "uptime." Even though SaaS providers as a group have an admirable track record against in-house solutions, most buyers feel a bit queasy when they cannot reach out and touch their own servers, or wring the neck of their very own IT guy when there's a problem.
That's why it is important to understand the "availability record" of your candidate service providers. Monthly or annual availability figures are something they should be able to provide to you. After all, those of us in the industry live and die by these numbers, and we know them better than we know our own phone numbers. If a provider cannot or will not tell you, it is not a good sign.
As a target goal, you should be looking for an application availability figure in excess of 99.95%, and a data availability figure in excess of 99.99%. This second figure is higher because even if applications or networks are briefly unavailable (that being the nature of the Internet) there is really no excuse for losing anyone's data with today's replication technology.
3. Multiple, secure, disaster-tolerant data centers
Multiple data centers are one of the techniques used by SaaS providers to achieve high availability, but there are more reasons than just that to make sure a provider has housed your data in several secure "telco grade" facilities that are geographically dispersed.
First, it excludes those "mom and pop" offerings where a security dealer or integrator has basically stashed a couple of servers in their office telephone closet and called it a hosted offering. You wouldn't do that in your own IT shop, so do not accept it from anyone else. Telco grade facilities are characterized by having diesel-generated back-up power, multiple independent connections to the Internet, 24-hour staffing and their own secure physical security perimeter. These days those are just minimum requirements, so be sure to ask where the servers are and where your data will be stored.