Security teams can assess vendors’ policies on data handling, incident response, data regionalization, and privacy. They can evaluate a service-level agreement for things like availability and security metrics. They can also scrutinize the vendor’s security culture and practices, including third-party audits, and confirm features like multifactor authentication and data recovery. Ideally, companies should do real-time security assessments of these products, and be as thorough as possible. “For high-risk SaaS solutions vendors may be subjected to a red teaming exercise for robustness,” Gibbons says.

Dumitru concurs. “While few SaaS will agree to be pen tested, it is still a question worth asking,” he says. “It is a good sign if a SaaS is able to answer all the data protection and information security questions and gives details on how it protects the data, ensures availability, and disaster recovery.”

Sadly, though, according to Manor, including security teams in the procurement process is not very practical in many cases. “A lot of the SaaS used today follows the Product Lead Growth methodology, which allows a user to use the product for free before buying, or for very cheap,” Manor adds. “As such, many SaaS services are being used in the organization before it gets to the procurement phase, and then it might be too late to back down.”

One way to address this is to have security teams keep an eye on SaaS products at all times, not just during the procurement process. “Oversight of the SaaS used is more important than gatekeeping what is going to be used,” Manor says. “The right thing to do, usually, is to use a product that helps you track risk of different SaaS services in use in your organization.”

Another avenue would be to look for more ethical SaaS providers. “The better solution to the problem is to reinvent SaaS one service at a time,” Nathan says. “Have [vendors say] we will provide you the software as a service on the data that you own and control wherever you keep the data, and we will not see the data. That’s the new thing that’s coming up, and in five years, I think that software as a service will be reinvented.”