 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
One of our top priorities since founding Merge has been ensuring that our integrations are as secure as possible.
With this goal in mind, we’ve built out several features, invested in certain infrastructure, and adopted specific policies that go beyond the industry’s highest standards of security and privacy for keeping customer data protected.
These experiences have also informed our approach for evaluating prospective SaaS vendors’ integrations, which is a key part of our criteria when gauging these vendors’ security risks.
I’ll break down this part of our security evaluation process in the hopes that it helps you add something similar to your company’s third-party risk management process.
In order to get a sense for the impact of these integrations as we onboard new vendors, we first needed to classify and inventory the data we have across our existing systems. Our security team built a data classification system that clearly lays out how sensitive different types of data are.
More specifically, they created four buckets, where each is associated with a certain type of data.
It’s worth noting that these buckets and their respective definitions can vary from company to company, as it depends on an organization’s risk tolerance, target industry, product and other factors.
After defining these buckets, our security team worked to create an inventory of data across the organization to track where each type of data is stored. Once done, they built an intake form for vendor submissions that took the whole picture into account when evaluating prospective vendors’ integrations.
As part of our vendor intake form, we ask the requestor to list any integrations they plan to build to the SaaS tool and the use cases associated with the integrations.
This information is combined with the information in our data inventory as well as the other information submitted by the requestor. Taking all of this together, the security team can determine an initial risk score for the vendor, which can inform the next steps in the process.
For instance, a vendor that only needs access to publicly-available data can be approved without further review. But if a vendor requires confidential data through integrations, our team will need to ask them questions around their policies for managing integration credentials and scopes (we’ll cover this further in the next section).
Once the requestor’s intake form is completed and it’s determined that the vendor requires a security review, our team will send the vendor a security questionnaire.
Part of the questionnaire asks for specific details that help determine how they manage access to integration data and credentials. And since this information is often not included in the scope of security compliance frameworks or in more generic security documentation, it’s critical that they provide these details to us directly.
For example, the security team would dig into how a prospective vendor’s security policies apply to managing authentication credentials, such as API keys or OAuth tokens. This includes determining who within the vendor’s organization can actually access the authentication credential and how the vendor’s application stores and handles credentials (including logging and monitoring).
In addition, the security team ensures (often through follow-up questions for the vendor) that the scopes of the integration match the authorization granted to it. For instance, if a tool only needs access to the names of our employees but requests an API key or OAuth token with admin access to our HRIS system, we’d ask the vendor if their tool still functions if it’s granted a more limited scope.
Integration security is just one piece of the puzzle when determining how risky a SaaS vendor is for our business. We also need to determine whether they comply with certain security regulations (e.g., GDPR), pass particular audits (e.g., SOC 2 Type 2), and so on.
That said, assessing integration security risks across prospective SaaS vendors successfully has been critical in helping us pinpoint the most secure vendors over time. Hopefully, it can do the same for you.
