SaaS Security – The Elephant in the Room
Software-as-a-Service (SaaS) continues to grow as a common way for organizations to deploy
applications. Some applications you probably already run in the cloud or are considering include collaboration, productivity, and CRM applications. Think Salesforce and Microsoft Office 365. In fact, Gartner says that 47% of CRM deployments use SaaS today.
SaaS delivered applications can deliver many benefits to your organization. Here are just a few:
- Improved Agility: You can rapidly deploy applications without the need to provision servers. This allows your business to take advantage of the technology much more quickly.
- Cost Benefits: Because you no longer have to make an upfront investment in on-premises systems and infrastructure, you lower your cost of entry. You now pay a monthly fee without the same long-term commitment that you may have previously had in lease payments.
- Better Collaboration: Many SaaS applications are designed for collaboration. Business leaders see this is as critical since they need to collaborate with multiple departments, suppliers, contractors, customers, and manufacturers.
As the number of SaaS applications you deploy grows, you may become concerned that you are losing control of your data. That does not necessarily have to be the case.
Understanding SaaS Security Controls
If you move to a SaaS model, you do not need to lose control of your applications and data. You do, however, need to educate yourself on what your SaaS providers are doing to help protect you. These are the basic security controls that SaaS providers utilize to varying degrees:
- Identity and Access Management: These controls are in place to ensure that only users with the proper security rights have access to applications and data. They are also meant to confirm that the user is who they say they are.
- Application and Data Management: These control what applications have access to interact with your data. They also define how your data is handled. Is your data encrypted? And, is it encrypted in transit as well as at rest?
- Logging and Monitoring: These controls focus on user and data behavior. They relate to abnormalities in how users are accessing data or if there have been multiple failed attempts at accessing your data.
It’s important to understand all of the controls your particular SaaS provider utilizes, how they are implemented, and how much control you have over them.
Covering Your SaaS
If implemented correctly, your SaaS applications can actually be more secure than on-premise deployments. It is estimated that 85% of cyber-attacks can be prevented simply by keeping your server and application security patches up to date, as well as managing administrative access rights. Your SaaS provider should handle the patches for you while you focus on access management.
There are several additional steps that you can take to protect your organization.
Keep the number of users with administrative rights to an absolute minimum. SaaS solutions such as CRM are often run by the line of business instead of IT. Whoever owns the administrative responsibility has to regularly review the user list and level of access they’ve been given. The policies, procedures, and user access should be well documented in case the administrator leaves.
Administrator accounts are also prime targets for cyber-criminals. Why mess with a regular user if they can gain access to everything in the system because the administrator was lazy when setting up his account and password? A good practice is to create a very secure login for the main administrator and then create a sub administrative accounts for day-to-day use. That way, if it is hacked, you still have the main one protected and retain full control.
Strict Access Control
Make sure you have a well thought-out policy about who has access to which systems. It is common in smaller organizations to give power users of an application administrative rights or something close to it. This can be very difficult to keep track of and manage. You are giving that user full control over your data.
With all of your users, you should make sure they understand how to create secure passwords and logins. There are tools you can implement at an enterprise level to help manage your users. This can include single sign-on tools that bring full control of user access back in-house. If an employee leaves, you will be able to shut down all of their accounts from a centralized management console.
Back Up ALL of Your Critical Data
Once data moves into a SaaS environment, organizations are less likely to perform regular backups. This is definitely not a good practice. While you may feel that redundant systems provided by your SaaS provider is adequate, it’s still not enough protection. IBM states that the number one cause of data loss is human error. Users can intentionally or unintentionally delete or destroy portions of your data.
Also, think about your exit strategy. You need to know what you will do if the service provider no longer meets your needs, changes their business strategy, or goes out of business or if you want to bring the application back in-house for any reason. To do this effectively, you need to have reliable backups of your data.
Your SaaS Applications can be Secure
SaaS-deployed applications are only going to increase in the future. You need to make sure you are prepared. It is possible to maintain a high level of security for your SaaS applications. You just need to start with a plan and pay attention to the details.