SaaS Third Party Support/Suppliers Access

I have asked a similar question recently but I need a little clarification.

When you have an ERP system that is hosted and supported by the ERP supplier, what is best practice for controlling their access?

I fully appreciate that they need access and this is all part of a SaaS implementation, I just don’t think the supplier should be saying, we have highly privileged access to your system whenever we want because that’s what you signed up for.  Surely access can be controlled in someway to give our company assurance that data is protected from unauthorised access by the supplier whilst not preventing them being able to effectively support the system.

There are two ways that access can be gained, 1) Directly to the database 2) through the application.
1)      As a company we don’t have access to the database, so I can understand they will need access to this in order to provide support.  But is access given to 100+ techies in the suppliers business or just a handful of people who are managing our support contract?
My understanding is that direct access to the database isn’t that easy in terms of just having a browse through our data and committing fraudulent transactions.

2)      I understand they will need some access and no doubt highly provided access to the application, but realistically does this need to be enabled all the time.  If we have an issue, but the system is still live and working we just need some assistance, surely we would have more control if their accounts are disabled by default, then in this scenario we can enable them until their work is complete.  However I’m not sure how this works if the system is down and we can’t access it from our location.  If their accounts in the application are disabled, can they still support the system in this type of event?

Like I said, I understand they need access but I think this needs to be balanced with securing our data from a free for all access from the supplier and still being able to effectively support the system.

From the previous question I know there are specific products that can be used like DB Vault for Oracle, but I think this is more about accounts and whether these remain enabled or can be disabled.  Or any other way just to give some control over the access by the supplier.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1) You'd literally have to ask them for their policies. Generally speaking, it should be just the set of people who have reason to work on your account. However, that is an organization to organization decision. At least you're thinking enough to ask.

2) That goes against the idea of SaaS. If you wanted that level of control on a system that's not located within your building, you'd actually have a collocated system.

As you know, you give up a lot of control in going with SaaS solutions. However, it doesn't prevent you from being able to ask about their policies and raising issues.

You have no control over their access per se, but you can have things written into an agreement. Ideally, this would've been a question that was asked before signing up with the provider. However, you can have management and the legal team review the agreement, and devise a strategy for how to go about communicating with the ERP provider to address any concerns.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jdc1944Author Commented:
Thanks for your input
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.