Commercial real estate is increasingly getting on board with the software distribution model, in which applications are hosted by a service provider and made available to users over the network, typically the Internet—i.e., “the cloud.” Many real estate technology applications are also Software as a Service (SaaS) platforms, including Honest Buildings, VTS, Hightower, CoStar Real Estate Manager, and SiteCompli. Other well-known applications are Microsoft Office 365 and Salesforce.
Real estate owners typically like this “on-demand” model because it allows them to reduce IT costs associated with traditional software management, patching, and upgrades. And having on-demand installations and licensing allows users to adopt a pay-as-you-go (or grow) model and decreases up-front expenses for IT purchases.
Adoption of Software as a Service—otherwise known as SaaS—is growing steadily, and Cisco predicts that by 2019, 59% of cloud workloads will be SaaS, up from 45% in 2014.
Before embracing CRE tech or any SaaS platform, companies need to remember that their information is no longer centrally contained within the four walls of their business. Therefore, security features must be considered while researching any new SaaS technology. Here are seven that both the technology users and technology providers should pay attention to:
1. User Information
What information is collected, how is it used, and how is it protected? This includes information collected from individual devices, such as usage data; sensitive information, such as bank account or credit card numbers; personally identifiable information; and information that that is uniquely traceable (such as IP addresses or hardware identities). Very sensitive user information, like social security numbers, credit card numbers and birthdays, typically do not need to be stored. If a SaaS product is asking for them, it should warrant extra scrutiny by the buyer.
How, at what intervals, and for how long does the platform back up its data? The vendor needs to ensure quick recovery in case data is compromised or corrupted in any way, and that the backup data is encrypted to prevent leakage of any sensitive information. Is the user independently responsible for that encryption?
3. Crisis Plans
It seems nearly every day we hear of a large data breach in the news; IBM’s recent Cost of Data Breach study discovered that the 2015’s average consolidated total cost of a data breach is $3.8 million—a 23% increase since 2013. Is the SaaS vendor prepared for such a situation or other potential crises? What is its action plan for business continuity and disaster recovery? Does it undergo third-party security assessments to validate the security and integrity of its application and its deployment?
4. Server Resiliency
Businesses expect software to work when and where they need it. How is the SaaS vendor’s server resiliency, or its ability to recover quickly and continue operating despite an equipment failure, power outage, or other disruption? Often, this is achieved through the use of redundant servers, called “clustering.” So if one fails or experiences a disruption, the next one kicks in and takes over the service seamlessly (ideally, the end-user won’t even realize a disruption has occurred). Backup power supplies can also be used to keep servers running in case electricity goes down.
It's also worth noting that many SaaS vendors do not host their own servers, but instead use Infrastructure as a Service (IaaS) providers like Amazon or Azure. Typically, these providers have redundant power and network connectivity, and they have excellent physical infrastructure protection. However, it is still incumbent on the SaaS vendor to integrate the disaster recovery features that the IaaS vendor offers. For example, Amazon offers multiple physical sites, but unless the SaaS software is programmed to run across multiple physical sites, loss of a single Amazon site can take out the system.
5. Multi-factor Authentication
Many popular applications and websites—including LinkedIn, Twitter, Facebook, Office 365, and DropBox—already use multi-factor authentication, also known as two-step/two-factor authorization or 2FA. It’s a second level of authentication after entering a password, such as a supplying a PIN, temporary authorization number, or pre-determined mystery answer (like a father’s middle name or the city in which the user was born). Although not completely impervious to attacks or hackers, 2FA does add an extra layer of security and makes accessing data more difficult.
6. Data Encryption
As cloud computing increases, the need for encryption is a given. One conversation users should have with SaaS providers is regarding management and control of encryption keys, writes Linda Musthaler in Network World. “Even if the data is strongly encrypted, it's a compliance compromise if a cloud service provider has access to a full key that can decrypt the information without the data owner's knowledge or permission,” she said, pointing out that U.S.-based cloud vendors can be subpoenaed by the government to provide access to specific information; if the vendor holds the encryption key, it may be compelled to provide that to authorities as well.
7. Team Experience
If multiple team members are using the software platform, how does the vendor insure privacy and that certain user data is not shared? Does the platform have features to control roles, privileges, and access in shared documents and workspaces?