What SaaS Customers Mean When They Ask About Security

Originally posted as an answer to “What are some of the security concerns about Yammer?” The whys are reasonably universal to SaaS and even more so for other freemium collaboration products.

Yammer’s best reps closed the biggest deals by convincing the business that they needed the product and IT that the free version didn’t have enough controls. A deal came together when IT said, “Buy it or stop using it.”

At the end of the day, SaaS customers are concerned about two things: breaches and abuse.

Breaches

A breach is simply disclosure of data to a party the originator hasn’t authorized. A breach can be as complex and malicious as a big credit card hack and as simple and innocuous as the baby photo wall at the doctor’s office (the pictures meant those babies received medical care there).

When prospects talk about security in this context, they are concerned about threat vectors along these lines:

• Physical — unauthorized individuals can’t walk out the door with unencrypted hard drives of customer data
• Application — you can’t use the product in such a way as to access other companies’ data
• Systems
  ◦ Production systems are sufficiently hardened to prevent malicious code, etc.
  ◦ Employee devices are tagged, tracked, have sufficient access controls, and encrypted drives
  ◦ Two factor authentication is used for any system that might contain customer information and you’ve reasonably mitigated system/service accounts not tied to an individual
• Yammer employees
  ◦ That Yammer employees wouldn’t steal their data
  ◦ That we had controls to make it hard to do so and exceptionally hard to do by accident
  ◦ Social hacking — our employees as an attack vector, stolen passwords, malware, etc.
• Their employees
  ◦ Malicious employees stealing data — there’s nothing particularly Yammer-oriented about this, except that our access controls were much lighter than what you’d see from an intranet
  ◦ Mistakes — posting social security numbers, credit card numbers, M&A documents, clips of a movie you’re working on, etc.
  ◦ Highly regulated environments — we had a few banking customers who had rules about the different parts of the company talking to each other. At least one school per year would ask about using it for teachers, students, and parents, but there are a bunch of laws around those interactions (for good reason!).
  ◦ Social hacks — their employees as an attack vector, stolen passwords, malware, etc.
• Contracts — that any processors or subcontractors we use would be covered by our agreement (compliance punches down from customer to customer). This is a legalistic version of privacy and is the essence of HIPAA BAAs and GDPR’s DPA.
• Certifications — customers care about certifications in as much as their customers care about certifications (see Contracts). Certification isn’t security, it’s:
  ◦ Framing of your security practice in a standardized way
  ◦ Table stakes tools and practices
  ◦ Myriad antiquated techniques and requirements that don’t make sense for a modern software development company
  ◦ An audit, saying you do the things you say you do. This is probably the most valuable from a customer standpoint, but also the easiest for customers to verify.

Abuse

This one’s pretty simple. Admins just didn’t want employees treating each other badly over this new medium.

I understand the concern politically and emotionally, you don’t want to be the person who brought in the software that lead to harassment. They might feel responsible for enabling it or fear being held accountable for introducing a system used to do that. But there are a lot of other technologies in and around business that are easier to use for this and less easily tracked and reported than a big central system.

We also heard a lot of concerns about swearing from non-swearing cultures, but swearing in a group in a corporate social network is much like swearing in a room at the office. There’s nothing to prevent either case, but repercussions, which would be the same.

I won’t go into controls or capabilities Yammer had during this period, but suffice to say we won over many large security-conscious companies before we went for a single certification.