The Zatik SaaS Safety Bar

Why do we call it the Zatik Safety Bar if Zatik is a cybersecurity company? And why did we create it at all?

Taking inspiration from the automotive industry and how features that protect occupants in a vehicle during a crash - like airbags, seatbelts, and speedometers - are simply included in the price of the base model car rather than considered luxury add-ons, Zatik has identified 9 key safety features for SaaS applications and software that we believe should be included by default in base tier offerings. In many markets automotive safety features are mandated by government regulations which do not exist currently in the SaaS and software industry. We built the Zatik Safety Bar for our use when evaluating products for our clients. In the spirit of our Values, we are sharing our thoughts with the larger community.

In addition to its use in product evaluations, the Zatik SaaS Safety Bar also gives guidance to application developers about what features the security community considers important for SaaS applications.

The Zatik SaaS Safety Bar

To meet the Zatik Safety Bar requirements, a feature must be:

1. Available on all versions of the product regardless of free vs paid tier.

2. Documented in a way that can be reviewed by customers prior to signing up for the service or agreeing to a term of service.

When using the Zatik Safety Bar, we do note if a company offers the feature on a paid tier versus not offering the feature at all, as that would be a way to meet the Zatik Safety expectations of using the tool. Companies are looking to SaaS tools to solve a specific business problem, and in some business critical cases paying extra for core safety features might be the only option. When noting features gated by a paid tier, we excluded tiers which do not list a public price.

The Zatik Safety Bar evaluates if products:

1. Offer Two Factor Authentication

2. Provide an admin mechanism requiring that all users of a team/tenant/product have Two Factor Authentication enabled

3. Support SSO integration without requiring Enterprise tier “SSO Tax” upgrades

4. Offers basic form for Role Based Access Control to split administrative functions from normal users

5. Offer an Audit Trail inside of the application

6. Allow for an Administrator to force another user to log out or revoke their access to the SaaS app in some way (not dependent on SSO)

7. Allow for the Administrator to set a password complexity policy for users of a team/tenant/product

8. Encryption in Transit

9. Allows Admins to Destroy their Data

How does the Zatik Safety Bar help companies manage their risk?

A SaaS product that meets every measure on the Zatik Safety Bar isn’t necessarily 100% secure, similarly a product not meeting the Zatik Safety Bar is not necessarily insecure. The Zatik SaaS Safety bar looks for the presence of certain features to communicate information about a product’s safety features by default.  The presence, or absence, of safety features in software can indicate what was prioritized in a product’s design process. When you use a SaaS vendor you need to be able to trust that their application is coded in a secure way, is operating in a secure production environment, and is administrated from a secure enterprise network. Large customers can often get additional non-public information about these topics from the SaaS vendor under NDA, however, the SMB clients that Zatik works with are not going to get this information; in fact, they might not even have a way to talk to a SaaS vendor outside of public customer support channels.

Like a car is designed to be driven on a road full of potential dangers, SaaS products cannot be built without considering the Internet they will operate on. MFA is not a total mitigation for the threat of stolen credentials, basic role-based access control can still allow users to delete data they have access to, audit trails might not help if a company doesn’t have the security staff to review them, and forced logouts still mean that an attacker did get in. However, when making purchasing decisions we recommend our clients select SaaS applications that meet as many of the 9 Zatik Safety Bar measures as possible. The presence of these features give customers of a product the opportunity to make secure operational choices and use an application in a safe manner, while the absence of these features limits a customer’s ability to protect themselves.

Using the security features of the SaaS apps you’re already paying for can be confusing. Creation of company specific guides and strategies is one of the services we offer at Zatik Security. If you are building a business and need a team of experts to help you securely configure your assets, please get in touch.