SaaS and Security: 7 Tips to Help You Assess the Risks

Most often, when we hear people say that they’re going to “save their data to the cloud” they’re referring to the SaaS (Software as a Service) model. This is a very popular consumer-facing model, normally publicly accessible over the internet. Salesforce.com, Dropbox, and Googe Drive are typical examples of these types of SaaS applications.

When you use a SaaS model you need to remember that you’re taking on the security risks of the previous two models (IaaS and PaaS) since the SaaS model is at the top of the stack (remember, the higher up on the stack you go the more responsible the service provider is for the security of your data). In the case of the SaaS model, it’s almost completely managed and secured by the cloud service provider (CSP).

In this blog post, the last of three articles in our blog series on security in the public cloud, we’re going to review the SaaS offering and highlight 7 key security factors to consider before migrating to this model.

1. First and foremost determine what type of data you want to store in the cloud and perform a risk assessment against it. Will this data, if lost or stolen, bring down your company? If it’s not accessible for a certain amount of time will there be drastic consequences to your business? As part of this assessment, make sure to understand and assess the SaaS’s business continuity and disaster recovery practices and procedures.
2. Question the security of your data from transmission to storage. Make sure your data is encrypted during transmission to the cloud and while it’s at rest. Many people will take this for granted, but it’s your data and it should be secured as if it was in your site.
3. Since you don’t manage the network, storage, or even the individual application that you’re using, it’s very important to understand what the SaaS application is running on. Dig into the details of segmentation, resource allocation, security, etc. It’s usually not possible to make any changes to this platform–since this is the most cookie-cutter of all the service models–so you need to be sure you’re comfortable with how the system is built and how the underlying security is being managed before moving your confidential data to it.
4. Since you’re almost always using a thin client to connect to the SaaS service (via the internet) request that there be some type of two factor authentication built into the application. If you’re able to access the data and application over the internet, so can attackers. If this is sensitive data, it’s literally just a password away from being accessed remotely.
5. Review what type of authentication is being used on the SaaS service. If you integrated authentication with LDAP be careful! These credentials, if compromised, will allow access to your corporate network, which could cause serious security issues if compromised.  Also, make sure that the passwords used to log into the SaaS app are complex with a lockout feature enabled.
6. Since you don’t have access to the underlying systems themselves verify that the data in the SaaS model is being backed up, verify data retention procedures, and determine if it’s extractable, etc.
7. One of the most important features of the cloud for any service model is protecting the API keys. These keys allow a system or user to perform functions in the cloud instance and if they’re not protected it can be as costly as giving up administrators credentials. Protect these keys!!

The cloud is powerful, elastic, cost-effective and resourceful, but if not managed and secured properly it can be dangerous. This blog series has highlighted some of key security issues when considering each of the three types of public cloud infrastructures – IaaS, PaaS and SaaS. Make sure to educate yourself before making choosing a cloud platform[1], and make sure you have the technologies and best practices in place to effectively manage security across your entire environment – before you make the move.