researchHQ’s Key Takeaways:
- Integration Platform as a Service (iPaaS) providers are responsible for the handling and processing of sensitive data in transit between applications, and so, it is critical that companies carefully assess the security of an iPaaS solution before making a purchase decision.
- An effective means of assessing an iPaaS provider is to request and thoroughly review their SOC 1 and SOC 2 reports as they include the results of an independent audit.
- While assessments will varying based on individual business circumstances, common concerns include GDPR data considerations, PCI-DSS compliance and a Business Associate Agreement (BAA).
Securely integrating your SaaS applications
Is evaluating the security of iPaaS solutions unnecessarily prolonging your progress towards application integration and optimizing your processes?
Nowadays, most modern medium to large companies, along with a growing number of smaller ones, are strong users of multiple SaaS solutions. As a result, integrating those applications to optimize business processes is of critical importance to ensuring the efficiency of a company as a whole.
Part of the process for selecting any new service provider(s) is performing due diligence to make sure that applications run securely and work together. If they don’t natively integrate, determining how to integrate the solutions can be fraught with challenges.
If no convenient or turnkey solutions exist, designing and developing custom integrations comes at a high price. Not all businesses have the resources to develop these in-house, and so must bring in contractors which only bumps up the cost. If the expense of development wasn’t high enough, maintaining these custom integrations brings the price tag over the edge for most businesses looking to expand.
There’s a new player in town
Integration Platform as a Service (iPaaS), has come into its own, and can easily and quickly integrate your SaaS solutions! No need for heavy IT involvement in many cases, and this lowers the time to integrate, and therefore the costs.
However, as with your SaaS applications, you must select an iPaaS provider carefully by performing meticulous due diligence. The iPaaS provider handles your sensitive data while it is in transit and processing between applications, so data security is extremely important when selecting an iPaaS.
As with SaaS solutions, ask yourself the following questions: What data is being moved or processed? Is it sensitive or PII under regulatory requirements? (GDPR, Privacy Shield, HIPAA, PCI and FERPA to name a few!) Most importantly, is the data being stored securely or persistently?
Many of the regulatory requirements mandate that data be handled in specific ways for security. Of course, encryption is an extremely important aspect, even if not a strict requirement (only a few of the standards actually require encryption at rest for instance.)
How we usually evaluate security
When performing due diligence, you’re going to be asking questions — sometimes a great many questions! What do your Questionnaires look like? Are they very large? Do they have evidence required? Are they based on the same questionnaires used for the major SaaS providers?
Large questionnaires can take a great deal of time for a proposed vendor to respond to. You are looking at potentially weeks of work, and thus significantly impacting how long it takes to complete the selection process, much less even start the integrations!
Business needs to move at speed! Full audits are a slow bureaucratic process…
And wait: Does your proposed iPaaS integration provider store the data persistently? Or is it pass-through only?
The risk may not be the same as a SaaS solution where they DO store the data persistently. The risk with iPaaS security should be very limited compared to a SaaS solution that is persistently storing most of the data about your business, not to mention the data on your customers or maybe even your customer’s data! The due diligence should be commensurate with that risk.
How Can This be Done More Efficiently?
Due diligence can take on many forms.
Like you, I am also involved in evaluating sub-processor vendors (some SaaS, some are other technical service providers) and I always start by requesting their SOC reports.