SaaS Security: Basic Principles and Best Practices
Security is one of the main reasons why many businesses, especially small and medium businesses hold themselves back from taking advantage of powerful cloud technologies. The total cost of ownership was once the main roadblock for potential SaaS customers, but security is now arguably on top of the list. The concerns about SaaS security grew as more and more users started embracing the new technology, but is everything all that bad as online reviews and opinions suggest? That’s exactly the question this post aims to address while focusing on best SaaS security practices and basic principles.
What Puts SaaS Apps at Risk?
Compared to traditional network systems, cloud computing systems are highly concentrated because of the virtualization technology, which allows single servers to hold data of multiple clients and many virtual machines. This means that if someone hacks a single server, it puts many virtual machines or data of many customers at risk.
Of course, this is only one of the risks associated with using SaaS apps, but it’s the most fundamental one. The technology that brings cloud computing to the masses can also be a risk, but the underlying technologies have come a long way since virtualization’s early days and have become much more mature and secure.
While identity management using technologies such as SSO (Single Sign On) allow businesses to extend role-based access into their SaaS apps, the field in general is still not there yet. Leading providers such as Google and Salesforce do have secure data connectors in place, but things can get complicated when customers are using a lot of SaaS apps.
Many cloud services providers still don’t follow cloud-specific standards, while many standards they do follow were not made keeping cloud computing in mind. Standards such as ISO 27001 are a good starting point, but not all providers follow comprehensive standards that cover most of the operational security aspects. There is still no guarantee that your data is safe with an ISO 27001 compliant provider, further complicating the situation.
SaaS providers tend to be pretty secretive when it comes to transparency of their security processes. Sure, SaaS security of most providers might be better that what most people believe, but customers are rarely explained about the backend security processes and systems in place. Many believe that customers should be ready for the worst-case scenario if a provider is trying to be too secretive and hiding things behind the non-disclosure agreement. It’s hard to trust a provider if there isn’t enough evidence available to believe them.
Customers have the right to know how a provider is protecting their data against attacks and unauthorized access. While some providers have been doing a good job explaining details about their security model, many are not transparent about things like specifications of multi-tenancy delivery. This is where SLAs (Service Level Agreements) become so important. It describes responsibilities of the provider, including security measures and strong guarantees.
While many countries require customers to keep their sensitive data within the same country, many providers won’t promise that. That’s mainly because they have to move virtual machines and data from one place to another due to many reasons, including load balancing and improved latency. SaaS providers argue that location of the servers does not really matter and believe that that’s not how the internet works. But things are different when it comes to sensitive data and an enterprise might want an in-country guarantee to get started.
Ability to access apps and information from anywhere is one of the main reasons behind the popularity of SaaS, but it also poses security risks. Employees using their mobile devices or laptops can sign-in from unsecured networks such as public Wi-Fi/hotspots. If the endpoints are not secured, the data might be at risk, making local servers a better option than the cloud. To deal with such issues SaaS providers can ensure that only specified IP addresses are able to access the service or block certain functionalities of a service when using an ‘outsider’ IP.
However, not all employees and individuals are well versed with how cloud computing works and the best way to prevent unauthorized access and reduce risks is to educate them using various technologies such as Web filtering and network monitoring.
Control Over Data
Since the data is hosted in the cloud, customers don’t have complete control over it. You’d have to rely on the provider if something goes wrong and wait for their response, which comes at the cost of convenience. Businesses also worry about giving their data to a third-party and are concerned about who can access it and potential corruption and deletion. Their data ending up in hands of the competition is another concern that businesses have, which can be detrimental when sensitive business data is involved.
The ever increasing popularity of cloud computing can prove to be a double-edged sword, especially if you are considering low cost options. Providers that fall in the lower end of the SaaS spectrum might not be able to keep up with the growing needs of the cloud computing market and eventually shut down. This points to another serious issue i.e. data portability as all the time and money a business invests in a SaaS provider might go to waste. That’s why it’s so important to read and fully understand the SLA as it provides (ideally) details about what would happen if a provider goes out of business and how the data can be ported to another provider.
Identity theft isn’t much of an issue when you are dealing with well-known and reputable providers. However, it becomes a real concern when you are looking for the cheapest subscription plans. Numerous security tools are needed when you are paying remotely through your credit card and low-end providers might not have the security system in place to safeguard sensitive financial information.
SaaS Security Layers
The three security layers that help prevent unauthorized access and safeguard valuable data include:
Layer 0 aka IaaS (Infrastructure as a Service) is the primary layer on which everything else runs e.g. AWS, Google Cloud Platform, Microsoft Azure and IBM Cloud.
Layer 1 is where the SaaS provider comes in and sits on top of the primary layer. Many SaaS providers run Layer 1 on top of Layer 0 rented from another provider, while some own both the IaaS and SaaS Layer.
Layer 2 is the actual SaaS app and the end users. Security breaches can also happen because of user negligence.
Best Practices for Securing SaaS Apps
Businesses might ignore product security when trying to meet release deadlines, leading to apps that are prone to vulnerabilities. Customers must perform a security review of the app before signing up for a subscription, especially when a solution is being deployed on a public cloud.
PCI DSS is one of the most essential certifications you should seek when selecting a provider. SaaS providers have to undergo comprehensive audits to ensure data security and transmission. SOC 2 Type II certification can also be very helpful and serves as a good indicator of how well a provider is prepared for regulatory compliance and able to maintain high standards of data security.
End-to-end encryption means that all user-server interaction is carried out over SSL transmission, which should only terminate within provider’s network. Ideally, encryption (field-level encryption) should also be used for the data stored in servers. Many providers allow their customer to specify the fields to be encrypted such as credit card numbers.
Rigorous Vulnerability Testing
It’s common for providers to make tall promises, but businesses also need to carry out ongoing and rigorous vulnerability testing. Most providers provide some sort of incident response and vulnerability assessment tools, but the end users need to ensure that such tools are industry-leading and reliable. These tools offer automated security assessments and significantly reduce the time between critical security related audits.
Data Deletion Policy
The data deletion policy is defined in the service level agreement and must specify what would happen to the customer data once the data retention period ends. In such cases, the data should be deleted programmatically from provider’s systems.
User-level Data Security
Protective layers must be added to comply with security standards with user-level security. Examples of such layers include role-based access controls and enforced segregation of tasks (internally).
VPC and VPN
Virtual Private Cloud and Virtual Private Network provide a secure environment only meant for a specific user and your provider should be able to facilitate these environments. VPC/VPN is arguably a better option than multi-tenant instances, providing customers with more control over their data. VPCs also allow securely connecting to data centers over an encrypted hardware VPN connection.
TLS and Configured Certificates
Choosing a SaaS provider that protects external data as it transits using Transport Layer Security (1.2 is the latest version) greatly improves privacy between communicating apps and the end users. The certificates (used when protecting the external data) should also be correctly configured and follow good practices. Same is true for internal data as the provider should also use encryption and correctly configured certificates for protecting data as it transits between provider’s own micro-services.
If your provider is offering an API (both internal and external APIs), it should also be protected by an authentication method for secure transmission.
Privilege Levels and Multi-factor Authentication
A SaaS provider should allow creation of low-privilege users, which allows separating privileges between different users and account types. At least a 2FA multi-factor authentication should be implemented to minimize the impact of credential theft.
The provider should make logs available to the customer, which includes security-critical events that help in ongoing audits and monitoring.
Incident Response and Patching
Providers should have a clear policy for patching known issues or libraries, especially those that have been reported publically. A good indicator of whether or not a provider would patch new issues and provide a clear incident response is its previous track record and reputation.
The Trust Discrepancy
According to recent data, almost half of companies are concerned about data security when it comes to storing, managing and accessing information from the cloud. These concerns mostly come from the lack of understanding as cloud computing technologies have come a long way since their inception and are now pretty secure. However, skepticism in the cloud is still high with some surveys suggesting that the perception of the risk is higher than the real-world risks. The same data shows that chances of in-house systems getting compromised are actually much greater than the perceptions customers have about them.
From a provider’s perspective, they can tackle this discrepancy with quality customer support, which can effectively collaborate with customer’s IT team and work together to create the right SaaS strategy. However, that’s only possible when they adopt the best practices, including keeping customers on the same page about security issues, performing security audits regularly and implementing robust security controls.
SaaS providers depend on loyal customers to remain in business. But it’s also customer’s responsibility to make sure that the SLA clearly defines all related issues, provider’s responsibilities and commitments. Another crucial area where businesses need to focus is user awareness as end-user negligence can also result in security breaches, which can be prevented fairly easily by educating them.
There are many strong reasons why businesses, especially small and medium businesses should take advantage of cloud computing to improve operational efficiency and reduce costs. However, security concerns often hold businesses back from putting their valuable data in the cloud. These concerns mostly stem from the lack of clear visibility and control. The only way to overcome such fears it to address these issues head-on with the providers.
Measures including adopting SaaS best security practices, conducting ongoing security audits and security assessments are essential for addressing fears surrounding SaaS. These measures not only help address our fears, but also make it easier to identify security issues upfront. Sure, the points mentioned earlier are just a few security provisions every cloud provider should offer. But they provide customers with a good starting point and help them secure their data and address major security concerns.