Skip to main content
Search Icon
Quick Links
  • Adobe Completes Workfront Acquisition
  • Workfront + Adobe
  • Why Workfront is different
  • Leap Virtual Conference
  • Interactive Product Tour
  • Work Management Guide
Language Select Icon
US (English) UK (English) Dutch German Swedish
Login
Workfront ProofHQ
Contact Sales
Language Select Icon
US (English) UK (English) Dutch German Swedish
Workfront - An Adobe Company logo
Search Icon
Quick Links
  • Adobe Completes Workfront Acquisition
  • Workfront + Adobe
  • Why Workfront is different
  • Leap Virtual Conference
  • Interactive Product Tour
  • Work Management Guide
  • Why Workfront

    Overview

    Why We Are Different

    See what makes us stand out from the competition and why top brands trust us.

    Customers

    Learn how Workfront customers benefit from our work management solution.

    Partners

    Consult our extensive global partner network of digital transformation experts.

    Services

    Get comprehensive support, training, and a tailored implementation of Workfront.

    Recommended Content

    Workfront Overview

    With Workfront, enterprise work management can help your company, departments plan, predict, collaborate, evolve, and deliver their best work.

    Learn more
    Why workfront product screen.
    Learn more
    Up button icon
  • Solutions

    By Department

    Marketing

    Align marketing strategy to execution and launch campaigns faster.

    IT

    Transform the enterprise and deliver impact with data-driven decisions.

    Product Development

    Manage processes and automate work to launch winning products.

    Professional Services

    Manage client needs and deliver services faster.

    Agency

    Streamline workflows, manage resources, and deliver results.

    Explore all solutions

    By Use Case

    Project Management

    Plan projects, track progress, and deliver work that achieves results.

    Resource Management

    View capacity, make assignments, and prove your impact.

    Digital Collaboration

    Centralize communication, project planning, and work execution.

    Portfolio Planning

    Decide which projects to prioritize or pause, and identify those at risk.

    Strategic Planning

    Define business direction and outline a path for achieving your goals.

    Explore all use cases

    Recommended Content

    Mighty Guide: 7 Experts on Flawless Campaign Execution

    Read this Mighty Guide for advice from seven marketing experts on how to execute flawless campaigns under pressure.

    Learn more
    grey background with mighty guide logo
    Learn more
    Up button icon
  • Platform

    By Product

    Workfront

    Manage the entire lifecycle of work in a single, centralized solution.

    • Goals

      Align strategic goals to work, monitor progress, and drive amazing results.

    • Scenario Planner

      Plan continuously, compare scenarios, and determine the best path forward.

    • Fusion

      Integrate your favorite applications and automate work in one platform.

    Adobe Experience Cloud

    Digital experience solutions

    Explore the platform

    Tours & Demos

    Interactive Product Tour

    Get a hands-on look at managing all your work in Workfront.

    Scenario Planner Demo

    Experience how Scenario Planner simplifies the continuous planning process.

    Workfront Goals

    Align strategic goals to work, monitor progress, and drive amazing results.

    Explore all tours & demos

    Recommended Content

    Work Management Maturity Assessment

    The journey toward work optimization starts with understanding your organization’s current level of work maturity. Take the assessment and learn how to optimize work—at every level.

    Take the assessment
    Work Management Maturity Assessment
    Take the assessment
    Up button icon
  • Plans
  • Resources

    Learn

    Resource Center

    View webinars, reports, and studies to learn about the Workfront solution.

    Work Management Guide

    Learn everything you need to know about enterprise work management.

    Blog

    Prepare for the future of work with insights from work management leaders.

    Events

    Join Workfront at one of these events.

    Customers

    Workfront One

    Get product updates, connect with other users, and request product support.

    Training

    Become a Workfront expert with our library of training resources.

    Innovation Lab

    Submit and vote on product ideas.

    Workfront System Status

    Check on Workfront status, scheduled maintenance, and incidents.

    Recommended Content

    Level Up: How to Plan, Measure & Execute Strategic Growth Initiatives

    Ready to learn how to take advantage of new solutions to level up your strategic alignment in 2021? Join LeapPoint’s leadership, Workfront experts and special guests from Penn State University as they share best practices, tools and ideas to level-up your strategic alignment and execution for 2021.

    Learn more
    Work Boldly
    Learn more
    Up button icon
Search Icon
Quick Links
  • Adobe Completes Workfront Acquisition
  • Workfront + Adobe
  • Why Workfront is different
  • Leap Virtual Conference
  • Interactive Product Tour
  • Work Management Guide
Language Select Icon
US (English) UK (English) Dutch German Swedish
Login
Workfront ProofHQ
Contact Sales
Why Workfront
Overview

Why We Are Different

Customers

Partners

Services

Solutions
By Department

Marketing

IT

Product Development

Professional Services

Agency

By Use Case

Project Management

Resource Management

Digital Collaboration

Portfolio Planning

Strategic Planning

Platform
By Product

Workfront

  • Goals

  • Scenario Planner

  • Fusion

Adobe Experience Cloud

Tours & Demos

Interactive Product Tour

Scenario Planner Demo

Workfront Goals

Plans
Resources
Learn

Resource Center

Work Management Guide

Blog

Events

Customers

Workfront One

Training

Innovation Lab

Workfront System Status

Login
Workfront ProofHQ
Contact Sales
a
May 7, 2018

What is a Saas Security Audit?

In the past, when companies purchased software solutions, it was the IT department that did all of the leg work to negotiate, procure and deploy the new system, whether it was intended for finance, human resources or marketing.

In the cloud-based era we're living in today, technology is far more accessible to less technical departments and teams. It's entirely possible for a CMO or a CFO to purchase and implement a new software solution without involving the CIO or IT team at all (not that this is always recommended).

Line of business leaders who haven't yet been through a couple dozen software deployments may not be aware of the ins and outs of a security audit: what it is, why you need one, how long it takes, and generally what to expect.

Enter Chris Henderson, Manager of Operations for Security Services at Workfront. We asked Chris a few basic questions that will help you navigate a SaaS security audit of your own.

Q: What is a SaaS security audit?

A: When you're considering purchasing a new SaaS (software as a service) solution for your business, it's important to ensure each vendor follows proper security protocols, so whatever data you'll be saving or sharing in their cloud-based system remains protected and private. A simple audit process will allow you, preferably with the involvement of your in-house IT or security team, to ask a series of questions that will help you gauge the risks and rewards of working with this vendor.

Obviously, the goal is for the system to be simple and accessible for authorized individuals but impenetrable to everyone else. It's a delicate balance. Realize that 100% security means 100% inaccessibility. If no one can get in without submitting a DNA sample, it won't be very usable. Simplicity is essential if you want your team to willingly use this thing. While no system is perfect, there are questions you can ask to make sure your potential vendor strikes the right balance between security and usability.

Q: Why perform a SaaS security audit?

A: If CYA isn't reason enough, think of protecting the business as a whole. You don't want to be responsible for selecting the one cloud-based vendor that puts your company's compliance audits in jeopardy or, heaven forbid, causes a security breach that damages the health or reputation of your company.

While it is true that most cloud-based companies have developed systems that match or exceed the security delivered by on-premises software—and yes many of these firms eat, sleep and breathe security all day long—you should still never take a vendor's word for it. Get your IT team's inherent paranoia on your side so you can ask the right kinds of questions.

Q: Who should be involved in the audit?

A: The person who wants the solution, whether that's the head of marketing or finance, should take the lead on the SaaS security assessment. You want one individual to be gathering the data and acting as the go-between. But to protect yourself and your company as a whole, you'll want to also involve the most paranoid individuals in your company—namely, the IT and security team. They may not wear their tin foil hats to work, but they know what can happen; they've seen too much. Depending on how your company is structured, you may also involve your procurement team and your legal department.

tinfoilhatmant-700

You don't have to know the difference between SAS 70 and SSAE 16 to manage this process. Your IT team has been through this before. Ask them to help you prepare your list of questions, and have them review the responses you receive back. If issues occur with this vendor in the future, you definitely want to have a record that you consulted your in-house security experts at the right time in the process.

Q: When is the best time for an audit?

A: Definitely complete your security assessment before you seal the deal. Your vendor will be far more eager to answer all of your questions before you've given them your money. But don't wait until the day you're signing the contract. Start talking security as soon as you've narrowed down your final list of potential solutions. If you have just one candidate you're considering, get going on your security discussion as soon as you determine this is a viable option for you.

Q: How long will it take?

A: The entire process will usually take a couple of weeks. A lot of big companies have crazy RFP (request for proposal) security questionnaires that they send to all potential SaaS vendors as a matter of course. At Workfront, we just finished and returned a 38-page RFP from a potential client that had 20-25 questions per page.

If you're not sharing data of a particularly sensitive nature, you won't need to go that far. There's a big difference between meeting minutes and calendars and the top-secret ingredients of your company's secret sauce. You can and should expect strong security no matter what you're storing in the vendor's cloud, but not every type of data needs to be subjected to the same internal security requirements.

Q: What questions should I ask in my audit?

A: The questions will vary based on the type of data you'll be storing, but here are some general questions to get you started:

  • Do they support encryption at rest?
  • Do they support encryption in transit?
  • Do they support SSO (single sign on)?
  • Do they do regular penetration tests?
  • What compliances and certifications do they have?
  • Do they have an incident response plan?
  • Do they have a disaster recovery policy and plan?

No Need for a Decoder Ring

If you're a line of business leader who finds yourself in charge of a security assessment for a new cloud-based service provider, don't feel like you have to invest in a decoder ring. Just because you're the one asking the questions, that doesn't necessarily mean you have to fully understand all of the answers. After all, the SaaS industry is rife with inscrutable acronyms—SSO, LDAP, AICPA, SAML, SOC 1 Type 2, SOC 2 Type 2.

Just seek the help of the right internal teams (the ones with the tinfoil hats). If they give you the thumbs up on both the questions you're asking and the responses you receive back, then you can proceed with confidence.

Facebook Twitter LinkedIn

Get Workfront blog updates straight to your inbox.

Why Workfront
  • Why We Are Different
  • Customers
  • Partners
  • Services
Solutions
  • Departments
  • Use Cases
Platform
  • Products
  • Plans
  • Tours & Demos
Resources
  • News & Press
  • Resource Center
  • Blog
  • Workfront One
Support
  • System Status
  • Help
Adobe logo
  • Careers
  • Privacy Notice
  • Security
  • Terms of Service
  • Cookie Policy
  • Resources Index
Facebook
Twitter
LinkedIn
YouTube
Instagram
Contact Us
Copyright © 2021 Workfront, Inc. All Rights Reserved.