At Kaliber, we think of SaaS companies as the filling in a “security sandwich.” SaaS companies are in the middle of having to protect the data of their customers while owning the responsibility to configure and monitor the security parameters of the hosting services on which their products operate.
What must a SaaS company focus on when building their security sandwich?
The first and most important level of protection is identity management: The proper validation of users: their roles and their passwords. SaaS companies must build for secure customer access as well as establishing proper roles for internal developers, support staff and marketing teams.
Multi-factor Authentication and Single Sign-On
Internal users and their roles should be supported by Single Sign On (SSO) tools with multi-factor authentication for credential protection and enforcements. Similarly, SaaS software needs to support SSO connected to their customers’ internal systems which both enhances security and improves the customer experience.
End-to-end encryption means that all user-to-server interactions are carried out over SSL transmission, which should only terminate within the provider’s network. Additionally, full database encryption should be used for customer databases and field-level encryption should be used for highly sensitive data such as financial, identity or health information.
Rigorous Vulnerability Testing
Businesses need to carry out ongoing and rigorous vulnerability testing to ensure that all off-the-shelf software is up to date. Many commercially available tools offer automated security assessments which identify which software may have vulnerabilities so that patches can be applied as soon as possible.
Secure Code Analysis
Web application security must be a key focus of SaaS developers. Improperly written internet-facing webpages can be vulnerable to attack and provide an avenue for theft of customer data. Regular code analysis which identifies improperly written web pages should be performed and the pages re-written to eliminate any discovered bad coding.
Incident Response and Patching
Providers should have a clear policy for patching known issues or libraries, especially those that have been reported publicly.
VPCs and VPNs
Virtual Private Clouds and Virtual Private Networks provide secure environments for isolating data and supporting secure connections.
A rapidly expanding trend is the use of Application Programming Interfaces (APIs) to support data interchanges whether between internal applications or to external third parties. APIs and API Gateways need to be protected by an authentication method for secure transmission.
The very first line of defense for a hosted software system is an Intrusion Detection System (IDS). Host-based systems apply their detection at the host level and will typically detect most intrusion attempts quickly and notify you immediately so you can remedy the situation. Modern IDS’s utilize either signature-based systems – looking for bad known things that have been sign before – or learning-based systems. Learning-based systems build a database of one organization’s “normal behavior” and then reports when it detects “non-normal” activity.
Only a qualified third party can truly attest to the efficacy of the items outlined above:
– Are credentials well protected?
– Are communications and data properly encrypted?
– Have software vulnerabilities been patched?
– Is in-house developed software secure?
– Are VPC properly configured?
– Are APIs protected?
Detailed penetration tests should be performed annually and any findings should be remediated in a timely fashion.
It is important that SaaS environments log all system events which include security-critical events that help in ongoing audits and monitoring and provides a way to perform forensic analysis in the event of a data breach.
In order to assure customers and prospects regarding the security of their data SaaS companies may be required to submit to outside audits which follow popular compliance regimes such as NIST, SOC2 or ISO27001/2.
There are many strong reasons why businesses should take advantage of cloud computing to improve operational efficiency and reduce costs. However, security concerns often hold businesses back from putting their valuable data in the cloud. These concerns mostly stem from the lack of clear visibility and control. It is the SaaS providers’ responsibility to present a strong position wherein they communicate the controls they have implemented to protect their customers’ data.