This checklist provides a generic list of items to consider when evaluating a SaaS service.
- Is SAML based Single Sign-On supported? Make sure your company’s IDP is supported (Azure, Okta, etc) and make sure your company’s user name format is support (SSO is no longer SSO if name format is not supported).
- How are new users added? Manually, or automatically (consider the SCIM protocol if not aware already)
- How are users removed? Manually or automatically if removed from your enterprise directory?
- How are permissions applied to users? Manually in with the application or automatically (for the later, permissions assigned via Active Directory security groups provides central auditing advantages)
- Does the SaaS provider have security certifications (e.g. ISO27001)
- Has a third party independent PEN test been completed, if so, how often is it repeated?
- Is user and/or admin multi factor authentication available?
- Is there security auditing on who/ when / what? can this be automatically shipped to a log platform?
- Are the roles based permissions defined that an be leveraged?
- Who and what can SaaS provider staff access?
- Does the provider offer a bug bounty program? (this gives some insight into how serious they consider security)
- Where is your data stored, and do you have location restrictions to consider?
- Does the SaaS provider have a published disaster recovery plan?
- How often is the disaster recovery plan tested?
Backup and restore
- What is backed up by the provider, and what is your responsibility to backup?
- How often are backups taken?
- What is the process for restore? (how long does it take, can you restore only certain items, or is only full restore possible?)
- Is there capability for customers to take independent backups and store outside of the SaaS environment? (if so, can this be done automatically?)
Import / Export
- What data can be imported (and in what format) to assist with service setup?
- What data can be exported (and is the format useable) if you choose to leave the service?
- Is there published API availability to enable automation?
- Are the APIs sufficient to be useful?
- Is the licensing model understandable?
- Is the licensing approach for archived or non-active data/users treated differently? (paying full licences for archived users is never nice!)
- Is there useful management reports available?
- Is there a clear roadmap on how long versions are supported and when/ how upgrades are enforced?
- Is there a clear roadmap on upcoming features?
- Is the vendor actively developing the service? (this provides insight on their priority on the service)
- Is historic service availability publicly published?
Training and support methods
- Is there an online knowledge base?
- Is there a user forum?
- How are support tickets logged and what are the service level options?
If you liked this checklist, please give me a clap. If you have suggested additions please let us know via the comments.
Leave a Reply