Cloud-based applications carry a joint responsibility where the SaaS provider is responsible for the security of the infrastructure while you, the customer, is responsible for the user and the data.
Securing your users and data will be dealt with in a future article. This article will focus on some important questions you need to ask your SaaS provider.
The answers will determine the risk associated with SaaS offerings. This should act as a guide in making the decision on who to choose.
Your data should be protected by your SaaS provider between the client and the SaaS service. When the client and server communicate the service should use a method of encryption to afford privacy. Furthermore, your provider should ensure no third party can eavesdrop or tamper with the message.
The recommended security protocol is Transport Layer Security (TLS) 1.2, it’s predecessor Secure Socket Layer (SSL) protocol is considered to be insecure.
Certificates used with the TLS connection should be correctly configured by your SaaS provider. In addition, they should be sourced from trustworthy and reputable sources.
Certificates used with the TLS connection should be correctly configured and sourced from trustworthy and reputable sources.
All externally exposed API queries which return information should require authentication before they can be called.
Ensure the SaaS product has a granular approach to privileges. In addition, it should have a mechanism in place to enforce separation of privileges between different accounts.
Your chosen SaaS provider should implement a multi-factor authentication service which helps to lower the impact of credential theft.
Your provider should ideally generate all relevant security logs as well as critical events. In addition, your event logs should be made available to your audit and monitoring service.
Ideally, they should have a clear patching system and be able to demonstrate a good track record in this area.
A good provider should make available clear and transparent details on their security features and how best to configure them.
A SaaS provider who has implemented a service based on best practices should be able to respond comprehensively to the questions raised. These responses can form the basis for an effective risk assessment of your potential provider.
As you continue to migrate your services to the cloud and make use of SaaS applications, it is critical to avoid the security gap that appears between your provider and your business. Ultimately you are responsible for your data and the users that access them, therefore selecting a credible provider who will assist you to implement effective security for your SaaS application is well worth the extra due diligence.
You may be interested in our Cisco Umbrella.