Is your corporate identity protected?

Your online activity is of great interest to many people. On the consumer internet, the leading giants such as Facebook, Google, LinkedIn, and Microsoft have figured out how to observe and convert user activity data into their product. Our online behaviour on the consumer Internet is being aggregated, analysed and then sold as market insight. For example, Facebook has converted data gathered from its almost 2bn daily users into revenue of $8.6bn in 2016 alone. This revenue model is largely accepted in the B2C space and is expected to be extended to B2B online services and applications.

Software-as-a-Service (SaaS), a rapidly growing segment in the B2B software market, is changing the way many businesses access technology. Benefits such as lower upfront capital costs, ongoing vendor responsibility for upgrades, as well as multi-device and multi-location access makes a compelling business case for firms to use SaaS platforms. Large and small corporations are using these platforms, such as Salesforce, Xero, Office365 and Bloomberg Messenger.

While the benefits of adopting SaaS solutions are tempting, firms should proceed with caution. As many SaaS providers require their clients to integrate their technology with the platform, this introduces the risk of exposing information about the business, such as transaction trends, topics of interest and even employee profiles, depending on the jurisdiction of the provider. For banks and FIs in particular, employee identities in SaaS solutions are often non-portable, most notably on some front-office messaging platforms – there is no reason why they need to own that identity.

Corporate identity as well as digital identities of employees are the gateway to a business’ most critical assets. It is essential to understand the potential risks in integrating technology with SaaS providers, here are some points to consider to protect your corporate digital identity:

1. Understand the provider’s management of employee identities

It’s important to understand the fine print of contracts and Terms & Conditions to get a good handle on the permissions provided to the SaaS provider – what will they have access to, what will they do with your data?  For example, will the provider develop market insight from employee data or even offer these insights to third parties or competitors?  Using suppliers who will be compliant with the new European General Data Protection Regulation will provide added comfort.

Understanding how a platform uses employee identities and data will help avoid any unexpected surprises in how these are used to generate commercial value for others.

2. “Know your provider”

Firms should subject their providers to the same level of “know your counterparty” due diligence conducted for their clients.  Part of this due diligence should be to explore who else, other than the SaaS provider, will have access to the firm’s identities.  Some questions to ask include:

• What commitments does your SaaS provider make about future plans for their wider identity ecosystem?
• Who else is part of the SaaS provider’s ecosystem, and how to they integrate or share data with the other ecosystem players?
• As the SaaS ecosystem becomes more complex – with partnerships and integrations rampant, are you inadvertently giving other businesses access to insights about how your company is working through the actions of your employees?
• Are the side-effects of my use of their service – sometimes called ‘digital exhaust’ – valuable?  What happens to that data?

3. Retain control of confidentiality

Confidentiality of information is critical to financial services firms and it’s important for identities and information to remain under their control and used for their benefit.  Firms need to ensure the provider integrates with the firm’s technology – not the other way around.

Our philosophy at Taskize’s is that platforms and technology solutions should integrate with the client, not vice-versa. Our platform works easily with existing back-office processes and systems, without our clients ceding control of their employee identities and information.

We also ensure our clients own the administration and use of their employees’ identities, we will not use applications tied into an identity ecosystem out of our clients control. Our technology uses and supports open standards such as SAML which allows vendors to interoperate for the benefit of their clients.

While SaaS platforms provide access to a vibrant world of new services online which will be required to sustain competitive edge, it is important that corporations enter service agreements eyes wide open.