Smartsheet security review

Does the SaaS provider protect external data in transit using TLS?

Yes

Smartsheet uses proven transport layer security (TLS) technology from the most trusted providers to encrypt all data transmissions between your device and our servers, commonly referred to as on-the-wire encryption.

Does the SaaS provider protect external data in transit using correctly configured certificates?

Yes

Smartsheet meets the recommended cryptographic profiles for TLS as published by the NCSC. In addition, the Smartsheet domains currently get an ‘A’ rating from Qualys SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.

Does the SaaS provider protect internal data in transit between services using encryption?

Unknown

At this time, it is unknown whether Smartsheet protects internal data in transit using encryption. Smartsheet data is all stored at REST with NIST approved ciphers.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 

Unknown

At this time, it is unknown whether Smartsheet protects internal data in transit using correctly configured certificates.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?

Yes

The Smartsheet API uses OAuth 2.0 for authentication and authorization. However, at this time, it is unknown whether Smartsheet protects internal data in transit using a similar method.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?

Yes

Smartsheet’s lowest privilege user ‘Viewer’ will have read-only access to the resource. This can information be found under the Access Levels header in their API documentation.

If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?

Yes

SysAdmin on Enterprise plans, or on Team Plans who purchase our Security Add-On package, have the ability to set up SSO/SAML (with O365 or G-Suite) authentication with Smartsheet. 

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs

Yes

Smartsheet records logs in case of a security incident and will then disclose them with the relevant parties. Does the provider make logs available to the client?

Yes

If the client is directly affected by a security incident then the account administrator (sys admin) will be notified.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.

Yes

Smartsheet discloses all security incidents that affect customer data. Admins are alerted when incidents occur and the status of the system can be viewed on their status page. Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes It is very easy to find out information about Smartsheet. The Smartsheet Security Statement is easily accessible and contains useful information.

Source: NCSC