Software as a service solutions and IT security: (Potentially) a match made in heaven

I had a few minutes the other day to peruse my backlogged library of articles (you know – the ones you put away until you can get your head above water long enough to catch your breath) when an article about SaaS and cloud services security in the government sector caught my attention. 

 The reason I did a “wait just a minute” on the piece is that the hot topic in our SaaS/cloud world is security, especially when it comes to content management and ECM SaaS solutions.   

We all know that our data – personal and business – is stored somewhere, and a lot (if not most) of it is accessible via the Internet. And, we’ve all heard a horror story (or two) about security breaches. Definitely scary stuff.   

So, when looking at security from a business perspective, here are a handful of questions to ask yourself – or to add to your RFP/RFI – if you’re in the market for a SaaS solution provider. And even if you already have a SaaS ECM solution provider, they should be able to answer these questions – and answer them with a “yes!”    

  • Is the data center where your data is hosted SAS70 II audited? In researching your SaaS solutions, this question should be asked by someone in your IT department. In fact, this audit is so comprehensive that, in our conversations with IT management, just mentioning this compliance level calms a host of security concerns.
  • Is the backup location compliant, too? Pop quiz: If the primary (production) data center is compliant, does the secondary (backup) data center need the same level of compliance?  Answer: Yes!
  • Does the hosting provider’s processes, infrastructure, etc. undergo an independent audit, defined by either ISO or SysTrust standards?”
  • Does the SaaS provider perform their own internal security audits on a regular basis? Can they provide documentation to you upon request?
  • Does your SaaS ECM provider give you the opportunity to engage a third-party vendor, such as SecureState©, to perform your own audit against the solution? Yes, this may be an additional cost for you. But your provider should be open to letting you look “behind the curtain” of your ECM SaaS solution.

While there are plenty of other questions you could ask, the bottom line is this: SaaS ECM solutions are as secure as any on-premise software when they’re done right. And in many cases, as the article pointed out, they might even be more secure (hence the title of this post). After all, who would you rather have implement software for you? The company that developed it, or a government agency or department?

Jacqui Conn

Currently, Jacqui Conn is a Business Development Manager with Hyland Software's OnBase OnLine & Hosting Services. But as most infomercials go, "but wait - there's more!" Literally a “Jac of all trades," Jacqui not only evangelizes OnBase OnLine (Hyland’s SaaS deployment model), but has built and managed the business side of OnBase Disaster Recovery Services, and markets it all. Fun fact: coincidentally, Jacqui's mother’s maiden name is “Saas.” (It’s true!) Contact Jacqui at

3 Responses

  1. It’s my understanding that a SAS 70 report pertains mainly to the financial industry. There is another (higher?) level of security certification known as SysTrust that I think crosses all industries.

  2. Jacqui Conn says:

    Thanks for your comment!

    About SAS 70/II and SysTrust compliance audits:

    * In the past, SAS 70/SAS 70 II compliance was specifically focused on internal controls for the financial industry (SOX, etc.). However, we have found that this compliance audit and is geared towards service providers. See the SAS 70 II link provided in the blog for further definition.
    * We agree with your comment that the SysTrustand SAS 70/70 II combo definitely provides that one-two audit punch: where one lacks, the other provides, and vice versa.
    (Check out the SysTrust link above – it provides a nice side-by-side comparison.)

  3. Ken Usman-Smith says:

    Some of you may work for employers that have realised that its expensive and adds a growing carbon cost to the organisation to manage all those servers on the top floor where the IT support team sit! And thats driving this move towards Saas AND THE SECURITY RISKS that will come as part of the deal.

    Some of you may have started moving your terabytes of data from your offices to a remote data centre.

    Some may have used a commercial organisation such as Hyland.

    And you may be happy with the one off hosting cost that’s creating real value for money.
    Or you may be coping with a loss of capacity to drive strategic ICT development in the business you are in.

    But have you noticed that whilst you have seen this as cutting edge, technology has done it again, the goal posts are moving. Software as a service is creeping up behind you faster every day as your budgets are cut.

    But you may go further, as you look at all of your expensive licensed programmes and the new build updates and patches from probably 100’s of legacy systems. And you accept that you need them to deliver an efficient service. The result is that you may want to move to ‘Why buy the cow when all you need is the milk’?

    Do you realise that all that software can sit anywhere, be maintained by anyone with skill and can be accessed as you use it on line? The use of open source is growing, but the internets always on and fast enough, so a dumb terminal and software that is SaaS is a radical even cheaper route to go down.

    Do you need to have a cow sitting in every office, its costly to feed, it gets in the way of your business and at the press of a button the milk is there, 24/7? There is only one valid definition of business purpose – namely to create a customer. And the Government Sector we are here to serve the customer, everything else may just be an overhead.

    And this will mean solving the potential security risks in this growing sector will also be invested in. The risks are simply too great of course.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like...