The sudden increase in remote working arrangements during the pandemic has spurred rapid adoption of cloud-based tools for collaboration across a range of legal functions, from document storage to contract management.

While many workers love the flexibility that these tools enable, it’s important to ensure that the applications your business uses offer just as much security as they do convenience.

More and more of the contract data that businesses store in the cloud today is highly sensitive, and a growing proportion of the people accessing it are third parties such as legal counsel and contractors. This shift has made the need for strong cybersecurity measures greater than ever.

But how can you be sure that a cloud service provider (CSP) is taking adequate steps to protect your data? With software vendors around the world vying for a share of your tech budget, you need a systematic approach to assessing what they offer.

‍

Here are 11 essential security measures that you should look for in every SaaS platform:

‍

1. Public Disclosures

A CSP should provide easy access to a privacy policy and a longer privacy statement on its website. The policy outlines what data the company collects, how it uses personal information, and how it shares that sensitive information with third parties. The statement adds detail regarding protocols for data storage and transfers.

‍

2. Certifications

These will demonstrate compliance with applicable data privacy laws such as the GDPR (the EU’s General Data Protection Regulation), the CCPA (California Consumer Privacy Act), or any other regulations to which the company is subject.

Keep an eye out for SOC 2 certifications, which are designed specifically to audit the processes and controls that CSPs employ to protect customer data.

‍

3. Zero-Trust Access Framework

IT professionals used to take a “castle and moat” approach to online access. Anyone inside the castle (i.e., an employee accessing the office computer network) was considered safe, because people perceived the threats to be outside the moat.

However, with more than half of data breaches caused by someone on the inside, it’s clear that the old approach doesn’t suffice. Strong passwords are still part of the formula, but a secure platform requires better defenses against social engineering and unauthorized access, such as multi-factor authentication and role-based access.

These endpoint security measures help to keep bad actors out of the network–and away from customer data.

‍

4. Role-Based Access

Part of the zero-trust framework is restricting access to people who actually need it, when they need it. This is known as the principle of least privilege.

Instead of letting every user access every document, a good SaaS platform will allow you to designate different levels of access for different groups, including both the types of files they can access, and what sorts of actions they’re authorized to take within the platform. This approach promotes both local network security and cloud security by ensuring that even someone with legitimate reasons to access the computer system can’t compromise files that don’t pertain to their work.

‍

5. Single Sign-On (SSO)

On the other hand, some platforms require too many manual processes to sign in to different tools and interfaces. We’ve all experienced the frustration of having to log in yet again when moving from one part of a website to another.

A good CSP will eliminate those slowdowns by implementing SSO into its system, balancing computer security with convenience so that your team can keep working.

‍

6. Data Encryption

Data security doesn’t stop with access management. CSPs must always use the latest best practices to encrypt customer data such as credit card information, both when it is in storage and while users are actively transmitting it.

‍

7. Data Auditing

Data privacy regulations focus on the transfer of data between entities. You can be held liable for the actions of your business partners if they don’t take adequate measures to protect the data you send to them. A CSP should keep track of who has accessed which data and when, so that you can conduct audits as necessary.

‍

8. Threat and Vulnerability Management

Protecting against internal threats is necessary, but it’s still not the full picture. External threats remain, and CSPs must be diligent about testing for potential security issues such as malware and other malicious software from the moment they begin development of their applications.

‍

9. Configuration Management

Beyond the software itself, it’s important for CSPs to prevent the deployment of misconfigurations of their software. Disorganized deployments or ad hoc modifications can create weaknesses in the system that might be susceptible to cyber attacks. It’s up to the CSP to ensure that customers use tried and true methods to implement their software.

‍

10. Cyber Resiliency

No matter how well prepared a business and its vendors are, breaches and failures will still eventually happen. A CSP must have reliable plans in place beforehand to ensure business continuity by promptly restoring service and recovering data from secure backups.

‍

11. Penetration Testing

Bad actors are constantly evolving, so SaaS providers need to evolve faster. CSPs must conduct penetration testing of their systems on at least an annual basis in order to ensure that they are ready to defend against the latest threats.

‍

How does Evisort stack up?

When it comes to security, Evisort walks the walk. Evisort publicly offers a privacy policy, a privacy statement, and a statement addressing GDPR compliance on the company website. You can also see the results of the company’s successful SOC 2 Type 2 audit, completed by an independent CPA firm.

In addition, the zero-trust framework is already in place within the Evisort platform. Let’s say you need different levels of access to different groups of documents for your sales team, your in-house legal team, your procurement team, your outside legal counsel, and all of the customers, vendors, and lawyers on the other side of the table.

Evisort allows you to assign a specific role to each group so that every user has access only to the documents they need, when they need them.

Evisort uses industry best practices for data security, including classifying sensitive data and encrypting data both while in flight and when at rest. On top of that, Evisort has detailed business continuity, data protection, incident response, and asset management plans, and leverages effective change management processes and controls.

We’re committed to providing best-in-class security to protect customer data.

Want to learn more about best practices for data security in the cloud? Download our white paper here!