SaaS Third Party Support/Suppliers Access

jdc1944 used Ask the Experts™
I have asked a similar question recently but I need a little clarification.

When you have an ERP system that is hosted and supported by the ERP supplier, what is best practice for controlling their access?

I fully appreciate that they need access and this is all part of a SaaS implementation, I just don’t think the supplier should be saying, we have highly privileged access to your system whenever we want because that’s what you signed up for.  Surely access can be controlled in someway to give our company assurance that data is protected from unauthorised access by the supplier whilst not preventing them being able to effectively support the system.

There are two ways that access can be gained, 1) Directly to the database 2) through the application.
1)      As a company we don’t have access to the database, so I can understand they will need access to this in order to provide support.  But is access given to 100+ techies in the suppliers business or just a handful of people who are managing our support contract?
My understanding is that direct access to the database isn’t that easy in terms of just having a browse through our data and committing fraudulent transactions.

2)      I understand they will need some access and no doubt highly provided access to the application, but realistically does this need to be enabled all the time.  If we have an issue, but the system is still live and working we just need some assistance, surely we would have more control if their accounts are disabled by default, then in this scenario we can enable them until their work is complete.  However I’m not sure how this works if the system is down and we can’t access it from our location.  If their accounts in the application are disabled, can they still support the system in this type of event?

Like I said, I understand they need access but I think this needs to be balanced with securing our data from a free for all access from the supplier and still being able to effectively support the system.

From the previous question I know there are specific products that can be used like DB Vault for Oracle, but I think this is more about accounts and whether these remain enabled or can be disabled.  Or any other way just to give some control over the access by the supplier.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
1) You'd literally have to ask them for their policies. Generally speaking, it should be just the set of people who have reason to work on your account. However, that is an organization to organization decision. At least you're thinking enough to ask.

2) That goes against the idea of SaaS. If you wanted that level of control on a system that's not located within your building, you'd actually have a collocated system.

As you know, you give up a lot of control in going with SaaS solutions. However, it doesn't prevent you from being able to ask about their policies and raising issues.

You have no control over their access per se, but you can have things written into an agreement. Ideally, this would've been a question that was asked before signing up with the provider. However, you can have management and the legal team review the agreement, and devise a strategy for how to go about communicating with the ERP provider to address any concerns.


Thanks for your input

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial