You want to use a SaaS cloud service because it’s convenient. The vendor has it already implemented, so you can start using it as soon as you buy it. It’s very quick and easy. Or is it? Have you checked what you buy? Does the way the provider set it up fit your needs? What you can do about it? How you can adjust it and ensure that it fits your needs? The only chance to have a real influence on how your SaaS cloud service is built is where you choose it and buy it. So, how to choose the best SaaS cloud service for you?

It seems like this post is very long. Do I have to do all these things to choose the SaaS cloud service?

You have plenty of obligations to fulfill. You don’t have time to read all the articles about choosing the SaaS. That’s why we did it for you. We’ve analyzed 10 top-ranked content on choosing a SaaS service. But it’s not all. We’ve also studied the most recognized best practices and norms about cloud services. We’ve packed it all for you in this single post. Yes, it’s long. Why? We’ve made it as complete as possible for you to understand all the aspects that matter in this process. Many of them are not necessary for simple services. We give you a catalog of aspects to consider. As every service is different, you’ll decide which to take into consideration in your case.

Jump in and read the post until the end! If you’ll like it and want more guides, follow Netstero.com on LinkedIn or Facebook.

If you don’t have time to read the whole post, please choose what you need:

You’ll never have enough time and resources to consider every aspect of each service. Yet, you’ll want to dedicate this process as much effort as possible. Why? That’s why:

Lack of control on how the SaaS cloud service is provided.

The SaaS cloud services can be customized to your needs in some parts. You can configure it or request some features of it. Fundamentally, though, the service is standardized. The service provider shapes and optimizes it as he decides. You have limited control over the way he does it. If you put a service in place and then you don’t like it, there won’t be much you can do about it. The vendor has to set up the solution in a way that satisfies most of its users. If you’re in minority, you won’t have your customization or change request fulfilled.

The difficulty of moving data to a different SaaS cloud service.

As soon as you implement the SaaS cloud service of your choice, users will start to work on it. In most cases, they will also start to store their data there. The longer they use it, the more data they store. You may find it hard to take away your data from one solution and move it to a different one. Some vendors may support the migration – this is the best situation. But it’s not always like that. Many times you’ll have to swallow the cost of third-party migration software. It often will need also the effort of your employees. Usually both.

Users can withstand one implementation of a new SaaS cloud service. But they will refuse to switch it to another one…

Users don’t like changes. After some time though they are getting used to new services. Replacing them with new ones soon after implementation can be very hard. For the first time, at least some of the users will understand that you try to make things better. The second time they will doubt if you know what you’re doing, so they will feel that you’re wasting their time. It won’t help you in convincing them to accept another implementation.

Business needs – now and in the future

Before you even start looking at any solution, take a look at your needs. Only by knowing your own priorities and needs, you’ll be able to choose the service properly. Why? You need something to confront the vendors’ offers with. When you start checking out different solutions, you discover many new features. First of all, you have to decide what YOU want the system to cover. You need to clarify what problem exactly you want to solve with the service. Otherwise, you’ll end up pursuing all the shiny features the vendors try to sell you. You may end up with a solution having all the great stuff, but not solving your problem as desired.

What other problems do you want to solve with the SaaS cloud service in the future?

What is the strategy of your company? What major directions is it pursuing? Think about the areas connected with the main purpose of getting the new SaaS cloud service. It often makes sense to integrate many features into one piece of software. It saves you integration costs. Of course, you don’t want to do it at all costs. All the features’ quality has to be high and it has to make sense as a whole. The solution you consider might have features, which will fit your plans for the future. It’s worth considering it as its advantage.

How will the SaaS cloud service fit into your environment?

You may have many applications already implemented in your company. Do you have other SaaS cloud services? How do you connect with them or other IT services in a cloud or on-premise? How do you log in to them? What are the standard ways of integration in your company?

These are some of the fundamental questions you need to answer. They will define your expectations about the integration of the new service. Think about the services you already have in place. Are you sure that you need another one? As we said in the last paragraph, you may find it beneficial to integrate many features into one solution. It applies to the systems and services you already have. It’s worth considering using a feature of the existing solution instead of buying a new one.

What are your needs in the area of the end users’ requirements on usability and complexity?

There are a lot of things you have to consider while choosing the SaaS cloud service. But you can’t forget about the final users. You plan to put the SaaS cloud service in place to fulfill their needs after all. So be sure that you understand the needs well.

You want to see things through their eyes. How to do it? Listening is the best way of course. You usually won’t be able to listen to everyone. Find a few people in your organization, who represent the key groups of future users. You want to get as many different points of view as possible.

To achieve it, identify the groups of users first. You want the list of them to be as complete as possible. Then pick people who have the most to say. Those, who don’t care won’t help you, nor will complain afterward. These, which are passionate about their work will give you the most ideas to work on. You’ll find it useful if the users have some experience with similar applications. They don’t have to be very literate with IT technology. You can find it useful to show them a few solutions to compare. Let them say what’s good and bad in each of them.

You might also build some metrics to assess how easy is to operate each of the applications. The most basic would be counting the number of clicks to perform an operation. The subjective opinions given are the most important for you to consider though.

What types of data do you want and can process in the SaaS cloud service?

As your company exists in the 21st century, data is its greatest asset. Before you put it all in the SaaS cloud service, be sure that you know what you’re doing.

Check law restrictions about processing data in the cloud. You may have to fulfill some procedures to make it legal. Restrictions to processing data may come from different directions. External regulations like export control law or the GDPR are two to mention. Each of them defines restrictions and procedures to follow for some types of data. You may want to process your clients’ data in the SaaS cloud service. Consult contracts and agreements you’ve signed with them. They may have restricted ways of processing their data in your organization. It can happen especially if they give you their intellectual property to process.

As a result of these analyses, you may end up implementing a SaaS cloud service for part of your data. You may have to leave another set of data on your on-premise services. Be sure which data you can put there, and which you can’t. Having this information will help you choose the service, which fits your needs in the best way.

Why SaaS cloud service?

Be sure why you want the SaaS cloud service and have it defined. SaaS seems like a very convenient model. You can outsource all the technical trouble to your vendor. You can install them very fast, and often start to use them right away. But everything comes at a cost and has some drawbacks.

  • You may not be able to put all your data there.
  • You can’t set it up your way if it affects other clients.
  • You won’t have access to it on a poor Internet connection or without it.
  • If your provider goes bankrupt or closes business, you lose the service immediately.

You choose your SaaS cloud service for the long term. You want to analyze if the profits of choosing it overweight the drawbacks of this model. To do it, be sure to define all the reasons you want to have it that way.

What are the features (now & in future)

At this point you have your business needs defined. This is the moment to start looking around the market to check what’s there. What features do providers offer? What extra value can you have? Checking out the features is a quite obvious part of choosing any service. This is what every business and management board wants to see the most.

Check what are the SaaS cloud service features now and compare them with your needs.

You’ve defined all your needs and expectations to fulfill by using the service. You compare it with what the vendor has to offer. You can expect that every provider’s salespeople will tell you how great their service is. With defined needs though, you are well prepared for that. You can compare their offerings not only one to another but also to your expectations. It’s not so hard to verify the salespeople’s promises. Performing tests and trial runs will show how the SaaS cloud service works in practice.

Check how the SaaS cloud service provider plans to develop the service in the future.

This part is not as obvious nor simple to verify as the current vendor’s offerings. But if you want to be satisfied with your SaaS cloud service choice in the long run, you better check it. Ask the service vendor how he plans to develop his product. How does he want to provide more value to customers in the future?

Ask him also how he got to the current state of the service. SaaS cloud services usually don’t appear great, complex, and deep at the beginning. They are born as little applications solving a single issue. Your vendor started small too. Learn how he developed the service to get to the present state. Learn what he’s grown from. It will make you understand the ways he thinks about service development. Based on that you’ll have better insight if what he plans to do in the future is his real intention. Or is he trying to tell you what you want to hear?

When you know the vendor’s plans, confront it with your strategy of using it in the future. Only this way you will be satisfied with your choice in the long run.

How the SaaS cloud service will be provided? The SLA…

SLA – the Service Level Agreement. You should ask all the considered vendors to hand it to you as soon as you start talking with them. This is where you’ll find all the most important information. It will tell you how the service will be provided. We’ve written another post about the 10 SLA Best Practices for Cloud Computing in 2022. You’ll find there all the aspects to consider about the SLA, so we won’t duplicate it here.

Is it really a SaaS cloud service?

Before we jump into compatibility aspects, be sure that what you buy is a real SaaS. These days internet browsers act like complete software runtime environments. No SaaS cloud service should need any extra software to run on the client-side. If the vendor asks you to install any application, you should become very suspicious. You don’t buy a SaaS cloud service to update yet another piece of software on users’ devices! The only software the vendor can provide for the service can be an optional mobile app. You shouldn’t need it as a prerequisite to run the service. It can be an extra piece of software to improve user experience.

The browsers’ compatibility

JavaScript developers know that not all browsers were born equal. You know which browsers are allowed for usage in your IT environment. You also know which of them are the most popular. Users don’t want to switch to a different browser every time they want to use a different service. Be sure that the SaaS cloud service you’re buying works well on browsers in your organization. Ensure the browser is supported. You don’t want to end up with a response of your technical issues be “we don’t support this browser”.

Mobile apps

Mobile apps improve the experience of using SaaS services. You may want to verify if the vendors you consider offer a mobile app. If they do, check, or even better test, on which platforms they run properly. Find out if they don’t have serious bugs. App, which causes trouble won’t make the SaaS cloud service experience any nicer.

The security

This ends the features section. Now we’ll talk security. It goes down to only one question, but difficult to answer…

How the SaaS cloud service provider treats your data?

Some salespeople will tell you anything you want to hear to sell their services. You usually don’t have full access to the service’s backend to verify it. At some level, you’ll have to take what the provider promises to deliver. You can do some trials and tests, but they won’t reveal what’s “under the hood”. Has the vendor developed the service properly and securely? How to verify that to avoid bad disappointment?

Certifications

When you’re choosing a SaaS cloud service provider, certifications are your best friends. Verifying how vendors will treat your data requires a lot of asking questions. If the vendor is certified, it means someone has done the asking for you. What’s more, the certification auditors are trained experts. They have extensive knowledge and experience in the area of each certification. They know what to ask for and how to verify the answers.

If the certifications can do much of the work for you, is there anything you have to do? Well, you need to understand what they say. They cover different aspects of serving a SaaS cloud service. You want to know what you have covered by each of them, so you don’t have to verify these parts by yourself. You also don’t want to be fooled by a large number of certifications. The old statement that it is quality, not quantity that matters, applies to this case. We’ll go through some of the certifications you can expect for you to understand what’s what and how to interpret them.

CIF – Cloud Industry Forum

The Cloud Industry Forum, known as CIF, provides a Cloud Service Provider Code of Practice. Cloud service vendors can self-certify for compliance with this code. The code includes practices from areas of transparency, capability, and accountability. The CIF created them to define how cloud service providers should take care of customers’ data. These are some of the aspects the Code regulates:

  • Transparency. The code states that the vendor should provide comprehensive information about its operations. CIF was inspired in this area mostly by the European personal data privacy regulations – GDPR. The provider should communicate i.a.:
  • The number of employees,
  • Geolocation of datacenters the service is based on,
  • Current subcontractors and, subprocessors list.
  • Capability. This section covers processes, which vendors should document and follow. Some of them are information security management and service level management. CIF has taken them from ISO 27001, ITILv3, and ISO 9001.
  • Accountability. Providers self-certify themselves for compliance with the code. There has to be some level of responsibility for this action. Failing to follow the Code’s practices may result in sanctions from CIF. One of them is a press release about the fact of inappropriate use of the certification.

Why do we start with this quasi-certification, which anyone can self-certify for? Well, the Cloud Service Provider Code of Practice is a great start if you want to verify a SaaS cloud service. Even if the provider you consider doesn’t have it, the Code can give you great guidelines on what to check. Practices mentioned in the Code will lead you through the process of verifying SaaS cloud service vendors. You use it if a vendor doesn’t have the certifications you’d like to see from them.

CSA STAR

Now we jump into one of the most serious certifications in the industry. CSA stands for Cloud Service Alliance. And STAR is an abbreviation for Security, Trust, Assurance, and Risk. And this is what it’s all about. Like the CIF’s Cloud Service Provider Code of Practice, it takes all the best from:

  • ISO 27001, 27002, 27017, 27018
  • CIS,
  • PCI DSS,
  • AICPA TSC,
  • NIST 800-53,
  • GDPR

If a provider appears in the CSA STAR registry, it means that it complies with the significant areas of these standards. Often, the CSA STAR is even more restrictive. The STAR register contains providers which submitted to it. They can apply for two levels of the registry:

  • Step 1 – As per the CIF’s Cloud Service Provider Code of Practice, this is a self-assessment. But the CSA STAR seems wider and deeper. To be mentioned in the register, the vendor has to submit its assessment to the CSA. Unlike the CIS, you can also verify the list if he is included there.
  • Step 2 – This one is for serious players, which strive for the most recognizable proof of their service quality. To get to the level 2 registry, they have to submit a third-party audit. It takes costs, effort, and resources to do it. If the vendor is listed in the Level 2 registry, you can be sure that this company treats your data very seriously.

We’ll take the CSA STAR as our guide through the world of SaaS cloud services certification. We’ll go through those, to which CSA maps the STAR. Check out below our brief summary of what each of those is all about.

ISO 27001, 27002, 27017, 27018

ISO 27000 series is the most recognizable IT security standard. The individual norms cover the following areas:

  • ISO 27001 – the general all-purpose norm for IT security. It applies to all kinds of organizations using any IT technology. You can consider it as an entry-level IT security certification for SaaS cloud service vendors. If the provider doesn’t have it, it means that he’s still pretty immature in the area of security.
  • ISO 27002 – it’s an expansion of the 27001 norm. It describes how to create and run Information Security Management System.
  • ISO 27017 – a specific IT security norm covering topics related to the security of cloud services.
  • ISO 27018 – an extension of the 27017. It includes more controls and best practice recommendations for cloud service providers. It describes how to secure the processing of personally identifiable data in the cloud.

CIS

CIS – the Center for Internet Security organization presents a different approach than others. It doesn’t focus on the recognition of the vendors who follow the guidelines. It rather provides the best practices to use for everyone who wants to be safe in the IT world. You can download the general controls for your organization. You can also get benchmarks for over 100 IT solutions on how to harden them for safe use. The benchmarks are in fact detailed information about the configuration of your solutions. They are published for operating systems, security tools, but also cloud platforms like AWS or Google Cloud Platform.

PCI DSS

PCI Security Standards Council focuses on the general security of the payment processes. The DSS stands for Data Security Standard. PCI strongly cooperates with its industry to create the guidelines. As a result, the PCI community has an interesting point of view on how to develop their standard. In the latest 4.0 revision of the standard the PCI focuses on the following aspects:

  • “Continue to meet security standards”. The PCI continually adjusts its guidelines to the growing and changing cybersecurity threats.
  • “Promote security as a continuous process”. The cybersecurity process must always keep going and keep being constantly improved.
  • “Increasing flexibility for organizations using different methods to achieve security objectives”. – Being open to innovative methods of ensuring the expected security level. In other words, the standard tries to focus rather on the effects than on the way. If the organization complies with the desired level of IT security, it doesn’t matter how it’s achieved.
  • “Enhance validation methods and procedures”. – the PCI tries to have all their processes around the standard consistent with each other.

AICPA TSC

The AICPA – American Institute of Certified Public Accountants, like the PCI, focuses on the financing sector. Their TSC – Trust Service Criteria – covers a high-level, business point of view on IT security. AICPA puts much attention on processes, planning, monitoring, and verification. You won’t find any technical aspects there. But you will get insights on how to organize your IT security in a very mature manner.

NIST 800-53

The NIST is the National Institute of Standards and Technology. It is yet another American institute demonstrating concern for Cybersecurity. As they are a technology-based agency, they’ve taken a very practical approach. They have the 800-53 standard in a way, which you can implement in your CyberSec policies. There are ready-to-use statements for you to put in your documents. You only need to fill the blanks with your specific content. But the NIST doesn’t just leave you with the blanks to fill. They also provide instructions on exactly what kind of data you should put there. Like CIS, NIST doesn’t provide any certification or accreditation process. Cloud service providers can confirm their compliance by third-party certifications like CSA STAR.

OWASP ASVS

The OWASP’s standard is the only one here, that CSA hasn’t considered in their STAR certification. Still, you want to know what it’s all about when choosing a SaaS cloud service. The OWASP – Open Web Application Security Project – focuses on the security of web applications. The ASVS stands for the Application Security Verification Standard. It defines how to design and develop web applications securely. Every SaaS company uses a web app to perform its services. The OWASP’s standards seem like a perfect fit here.

The OWASP graduates the ASVS guidelines to 3 levels. Choosing the level depends on the sensitivity of the data processed in the SaaS cloud service.

  • Vendors, which offer services designed to work with insignificant data can go for level 1.
  • Most of the SaaS cloud services process at least personal identifiable information. Their vendors should choose level 2.
  • For services created for very sensitive data like medical info, you can ask the provider for compliance with level 3 of the ASVS.

The OWASP doesn’t provide a certification process. You may treat the ASVS rather like an application penetration testing standard. You should ask your SaaS for a third-party certification from penetration tests of their applications. When you get it, you want to check if the penetration testing vendor followed the ASVS while performing these tests. If yes, it’s a good sign.

They can also rely on the OWASP Top 10. The Top 10 is a list of the most common web app vulnerability types. It is not as thorough as the ASVS standard though. If the third party uses different approaches to testing, it’s not necessarily bad, but it should draw your attention. OWASP is the most recognized authority in the web application security industry. There are no good reasons not to refer to their guidelines.

If the vendor provides the penetration testing certificate, you should also check the credibility of the third party. Unfortunately, you don’t have many tools to do it except to verify its referrals and reputation.

Non-technical certifications

Your SaaS cloud vendor can present some other certifications of compliance with standards. Many of them can cover important aspects of SaaS cloud service management. They don’t apply to cybersecurity directly but specify best practices in areas that help to keep the business and IT well organized. We list some of the popular standards here for you to recognize at least the area they cover:

  • ISO 9001 – Quality Management
  • ISO 20000 – IT Service Management
  • ISO 22301 – Business Continuity
  • ISO 31000 – Risk Management

What if it’s a cool SaaS cloud service, but doesn’t have certifications?

If the SaaS cloud provider, which doesn’t have even an ISO 27001 certification should raise your attention. It may mean that he doesn’t give much care to the client’s data. Sometimes the service brings a unique and significant value to your organization. In this case, your business will push you to accept this service regardless of its lack of certifications. What you can do in this situation? Unfortunately, you have to become an auditor and verify the security of the solution by yourself.

How to do it? What questions to ask? You can use guidelines from the standards we’ve presented above. Follow them while verifying how secure the service is. We’ve also provided some guidelines for you below. Go through these areas when you considering buying a SaaS cloud service without certifications.

Disaster recovery plans

You may have read our post Disaster Recovery Plan – How To Secure Your Data In Cloud. We’ve encouraged you there to have your own disaster recovery plan for cloud services you use. Still, the vendor should have his own plan. You want to ask him for it. When you get it, confront it with our post mentioned above. It should cover all the aspects we’ve described there.

Application and interface security

What if the provider doesn’t have any penetration test certificate? You should seriously consider buying a service from this vendor. Not having a certificate means that it’s a very small company with no budget for tests. It could also mean that the provider tries to sell the service at a low price, so he cuts all costs. Most probably both. If you value your data, you don’t want the vendor to cut the cost of the service at the expense of its security.

Your business can sometimes enforce you to buy the service despite the lack of a penetration tests certificate. In this situation, you should present the risks of data breaches to the management.

You may think of financing the tests by your organization to perform them for the vendor. The vendor has to agree to that – you cannot do it without his permission. But even if he agrees, you’d still need his engagement while testing and fixing vulnerabilities. If he didn’t want to perform the tests by himself, you may have a hard time forcing him to work on it.

Cryptography and encryption

Encryption is a standard way of securing data today. The vendor, while providing the service via the Internet, should use encrypted protocol. Most likely it will be HTTPS. The encryption certificate has to be valid and issued by a third party trusted by all browsers in their standard configuration. You probably know that this is the absolute minimum of security for a web application. You can’t accept any exception in this matter.

The vendor should secure your data in many other places than communication protocol. The most obvious data, which should be encrypted are of course storage of users’ passwords. The vendor may say that he uses tools provided by the sub-vendor of the underlying PaaS services. Your vendor should still know the way the passwords are encrypted. He can find this information in the documentation and provide it to you. We don’t have enough space here to cover all the details about encryption. You can find basic encryption information here.

Technical security

Does the vendor ensure the high availability of the service in the SLA? He should. Ask how he achieves it. What you can ask for?

  • Localization level redundancy. Services should switch automatically between data centers in at least 2 localizations. Even if the vendor uses a premium platform like AWS or Google Cloud Services, he should set up a geographically redundant environment. Don’t accept the reasoning that this is a safe vendor, so everything will be OK. Keeping the service in one location puts it at risk. Please find more details about this aspect in the post Disaster Recovery Plan – How To Secure Your Data In Cloud.
  • Data center level redundancy. The climate control system should keep working even if one or even two of its components fail. The power should be supplied to each server, storage, and network device by at least two power lines. Each of the lines should rely on a separated set of electric devices and have its own connection to the grid. There is a four-tier classification of data center security. Please find more details in this great post: https://phoenixnap.com/blog/data-center-tiers-classification.
  • Infrastructure and virtualization level redundancy. The vendor should host the applications in a highly available, virtualized environment. Storage and network device configuration should also ensure redundancy. As in the higher levels, if any of the components of these systems fail, it can’t impact the service availability.

Data center security doesn’t mean redundancy only. In each data center, its vendor should install dedicated security systems:

  • An automated fire extinguishing system can put out the flames as soon as they appear. Even if the data center staff watch it 24/7, waiting for their action may cause too much destruction.
  • The data center vendor must also run a flood alarm system. As soon as any water appears in the data center, this system informs the staff to react.

Operational security

Technical systems alone won’t ensure a satisfying level of data security. The vendor should also have his work organized in documented processes. Of course, his employees have to stay in compliance with these processes. Yet, you’ll find it much easier to verify the documentation than the compliance. So, start with verification of the documents first. Then ensure that the contract conditions make it worth it for the vendor to follow them. These are some processes, which you may ask the vendor to document:

  • Security Incident Management. The vendor should be able to show you the procedures he uses to manage security incidents. You can also ask for proof of fulfilling these procedures. You’d like to see reports from monitoring shifts and from processes of incident mitigation.
  • Threat and vulnerability management. As we’ve said before, the vendor should have a third-party certificate from penetration tests of the application. He should also have procedures for continuous verification of vulnerabilities in the environment. They should apply to the main applications, but also to all components down to the servers’ operating systems. You can also ask for proof like documentation of vulnerabilities detection and mitigation.
  • Change management. The vendor should define the process of change authorization. Unauthorized changes may cause an interruption in service availability. The process should prevent it. As proof of following this procedure, you can ask for change requests approved accordingly to documentation. Configuration monitoring systems can help to identify unauthorized changes. If the vendor uses them, it’s a good sign.
  • Access management. The vendor should have clear procedures on how to grand and revoke administrative access to systems and your data. As always, ask for proof of following the rules. Access requests approved as described in procedures will do as these proofs. You can also ask if the vendor uses PAM-class systems. They work as authorization proxies for administrators.
  • Universal endpoint management. The vendor should also manage endpoints. He should secure especially those, which have administrative access to his environment. You may find it less important. Don’t forget though that most cyber threats enter organizations via endpoints. SaaS companies are no different in this aspect. One click on a malicious e-mail attachment can cause unauthorized access to your data.

List of subcontractors

The vendor should announce a list of all subcontractors he is currently working with. Any individual or company not being the provider’s employee has to be included there. He should make the list accessible to the public or at least current and future customers. You have to get this info before signing the contract. You should also ask for the process of keeping this list up-to-date. The list has to include information on which data can the sub-contractors can access.

Maturity vs. flexibility

We talk here about the many controls and processes the provider should put in place. And we mean it. Mature organizations will more likely prevent your data from being breached or damaged.

Unfortunately, the maturity of the vendor’s organization can also become a drawback. If not implemented properly, it can cause much trouble and delays. Extensive procedures of solving users’ issues can result in a poor experience. You don’t want your organization’s tickets to wait for days until they find their way to the proper vendor’s team. You don’t want the support team to analyze the logs and error messages forever.

Some of the SaaS cloud services may need some customizations. You may want the vendor to deliver them at your request. With an extensive change management process, these things can take ages just to get approved. Don’t get us wrong – there should be incident management and change management procedures. You want them to ensure that the vendor manages the quality of the services delivered to you. They should be implemented and optimized to serve well both you and the vendor.

How to check if the vendor doesn’t cause trouble because of the bad implementation of structured procedures? The only way is to take a test drive of the service and try out its support. Poor support performance can ruin users’ experience, so time spent testing it is rarely wasted. Fortunately, it’s very hard for providers to fake underperformance during trials.

Pricing

Each service comes at a price. Only you can decide if the price you pay for it is adequate in your case. You have to verify if you don’t pay too much for the service you get. Does another company offer the same quality at much cheaper? The only way to verify that is of course to compare them. To do it right, you have to know the total cost of each service.

Unfortunately, sometimes it’s not obvious. Some vendors present you only the price for some part of the service. In each case, you have to verify what’s included in the presented price. What you can do is send your description to the provider and ask for the total price. The response will be as complete as your description, so you better have it as thorough as possible.

Don’t forget about the security aspects in your description. For example, hosting an application on a redundant architecture may cost extra money. Using two different locations for redundancy usually costs the vendor extra, so there is a possibility that he will charge extra.

Ultimately, it may be impossible to get two identical offers to compare varying only by price. You always have to make your decision based on all-around judgment. And price should never be the only factor to consider. There are always some differences other than price. The best advice we can give is to get as much information as you can and decide consciously.

Support

Tech support

In terms of support, you may find the technical support service most obvious. Like with every other aspect of the SaaS cloud service, it’s good to have parameters of the support agreed with your business. You have two ways of checking if the support will work as you expect:

  • Performing tests of the service together with its support. Even if you have to pay for the test, you may want to do it. The SLA may work great on paper but won’t know if the vendor is capable of meeting it until you try it.

Exit support

Here’s where the provider will really show you how much he cares for you and your data. The best SaaS cloud service providers offer exit plans. They have procedures to help you migrate to another vendor regardless of the reason.

Why do you want to plan exit before you start using a service? You may just not like the service anymore. Sometimes though it’s not a matter of liking. If the vendor has problems, your data and your business continuity can be exposed to risk. You want to have a plan of what to do in this situation.

Testing the exit plan can be both resource- and time-consuming. You may find it hard to engage another vendor’s solution only to test the exit procedure. You’ll usually have to rely on your vendor to provide a procedure to move to a different solution. If the provider has an exit plan and is willing to present it to you, you can assume that this company takes its customers’ data seriously. Don’t be fooled by kindness though. Even in these circumstances though you should verify the plan deeply.

Migration support

If you already have production data in a similar service to the one you’re buying, migration support will be crucial for you. If the vendor offers this kind of help, he’ll be happy to tell you about it – most often you won’t even have to ask. Just be sure to ask about the price of this extra service, not to be surprised by an additional price afterward.

Integration support

Many SaaS cloud services vendors offer some level of integration. Usually, you’ll find them serving API to exchange data with other systems. Don’t take it for granted though. Some providers will expect you to serve API for them to connect to. If integration is important to you, always ask what types of integration the vendor offers. Be sure about the price of using them, as it can be one of the hidden costs of the service.

You want to know not only what types of integrations the vendor offers, but also how easy it is to use them. In other words, you have to plan skills, which you’ll need to use the integration mechanisms. Some services can be integrated with other dedicated software automatically. Others may offer to accept the universal, well-known formats of data to import. In these cases, you need hardly any technical skills to use them. Users who will work with these services should have enough competencies to make it work for them.

You’ll find it harder if the vendor offers a general API and hands you documentation of it. It usually means that you’ll need some programmers on board in your business to make these integrations work. As you analyze a few similar services from different vendors, this aspect may get important. The cost of the hours of your developers can increase the total price of the service.

Training

In most cases, your users will need training to start using the SaaS cloud service. You have to choose if you want the vendor to train all your employees or only a few, who will teach the rest. You’ll have to pay anyway for these teachers’ hours – your employees or the vendor’s staff. You may want to save the time of your team, as they have their own work to do. In this case, you’ll be more willing to pay the vendor for training all your users. On the other hand, your employees may have free time, which can be utilized in leading these training. In this case, you’ll want to save money and ask the vendor to train only the “teachers”.

No matter which option you choose, the training performed by the provider can be one of the extra-priced options. As always – choose consciously what you pay for.

Reputation and referrals

The reputation of the vendor matters. Companies build their reputation not only by effective marketing but mostly by great delivery. How to verify the reputation? Consult an expert.

Each expert in some area knows the market niche he’s working in. The only concern in this approach is that the expert may have some interest in favoring one of the solutions. What to do about it? If you have enough time and resources, you can ask several experts to verify each other’s opinions.

Finding and hiring experts can be costly and time-consuming. Fortunately, we live in the Internet age and you can find rankings of about everything on the net. It will provide you with more than enough information. There are also some credible resources, that evaluate many aspects of IT hardware, software, and services. The most recognizable is of course the Gartner with its magic quadrant. Many disagree with the Gartner rankings, but it’s still a great resource for getting a grasp of the reputation of players in the industry.

You can also raise your certainty about the quality your of chosen service by asking its vendor for referrals. They should of course be verifiable. Referrals from random small companies, which sometimes don’t even exist anymore shouldn’t fool you. It’s better to call a few companies to confirm their referrals than to be fooled by a great number of valueless pieces of trash.

Conclusion

We’ve presented you with a lot of aspects to consider when choosing a SaaS cloud service. We suggested how to define your needs and how to confront them with the vendors’ offerings. We’ve also shown you what other aspects to consider except the features.

As you already know, choosing the SaaS cloud service is the only moment when you have great leverage over the vendor. As soon as you start using the service and put your data there, the vendor’s leverage starts to grow. And it grows each day you use it. You have to be sure that you do business with an honest partner, who won’t take advantage of you. You also have to be sure that what you’re choosing is what you really need.

You may find following all these guidelines impossible. And you’re probably right. It would take a lot of time and resources to do it. You’re a busy person and don’t have time to analyze all these aspects. Your team may be quite busy too. But you still have to make a decision to choose and implement the SaaS cloud service. If you could take only two takeaways from this post, they would be:

  • Don’t choose the SaaS cloud service only by its features. Security, privacy, and support quality are at least equally important.
  • Analyze as many aspects as you can. Dedicate as much time and resources as you can to the task of choosing the SaaS cloud service. Ask every person you can and verify all information the vendor gives you. Make decisions as consciously as you possibly can.

Thank you for reading the post. If you like it, don’t forget to join and follow Netstero.com on LinkedIn or Facebook.

References

  • https://www.cloudindustryforum.org/content/cif
  • https://cloudsecurityalliance.org/star https://pl.wikipedia.org/wiki/ISO/IEC_27001 https://pl.wikipedia.org/wiki/ISO/IEC_27001 https://www.bsigroup.com/pl-PL/ISO-IEC-27017-Zabezpieczenia-uslug-w-chmurze-obliczeniowej/
  • https://www.bsigroup.com/pl-PL/ISO-27018-Bezpieczenstwo-danych-w-chmurze-obliczeniowej/ https://pl.wikipedia.org/wiki/ISO/IEC_27001 https://www.cisecurity.org/
  • https://us.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf
  • https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final https://raw.githubusercontent.com/OWASP/ASVS/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf
  • https://blog.rsisecurity.com/what-are-the-aicpa-trust-services-criteria