Digitisation is driving the adoption of SaaS applications at an unparalleled rate. With this rapid adoption comes increased risks.
Cloud-based applications carry a joint responsibility where the SaaS provider is responsible for the security of the infrastructure while you, the customer, is responsible for the user and the data.
Securing your users and data will be dealt with in a future article. This article will focus on some important questions you need to ask your SaaS provider.
The answers will determine the risk associated with SaaS offerings. This should act as a guide in making the decision on who to choose.
1. Is Data in transit protected between clients and the service?
Your data should be protected by your SaaS provider between the client and the SaaS service. When the client and server communicate the service should use a method of encryption to afford privacy. Furthermore, your provider should ensure no third party can eavesdrop or tamper with the message.
The recommended security protocol is Transport Layer Security (TLS) 1.2, it’s predecessor Secure Socket Layer (SSL) protocol is considered to be insecure.
2. Do you protect external data in transit using correctly configured certificates?
Certificates used with the TLS connection should be correctly configured by your SaaS provider. In addition, they should be sourced from trustworthy and reputable sources.
3. Do you protect internal data in transit between services, using correctly configured certificates?
Certificates used with the TLS connection should be correctly configured and sourced from trustworthy and reputable sources.
4. Do you protect internal and external APIs through an authentication method?
All externally exposed API queries which return information should require authentication before they can be called.
5. If privilege levels exist, do you have the ability for low privilege users to be created?
Ensure the SaaS product has a granular approach to privileges. In addition, it should have a mechanism in place to enforce separation of privileges between different accounts.
6. If there is a granular approach to privileges, is multi-factor authentication available on elevated privilege accounts?
Your chosen SaaS provider should implement a multi-factor authentication service which helps to lower the impact of credential theft.
7. Do you collect logs of events?
Your provider should ideally generate all relevant security logs as well as critical events. In addition, your event logs should be made available to your audit and monitoring service.
8. Do you have a clear incident response and patching system in place to mitigate any issues in the service?
Ideally, they should have a clear patching system and be able to demonstrate a good track record in this area.
9. Do you provide clear and transparent details on your product and the implemented security features?
A good provider should make available clear and transparent details on their security features and how best to configure them.
A SaaS provider who has implemented a service based on best practices should be able to respond comprehensively to the questions raised. These responses can form the basis for an effective risk assessment of your potential provider.
As you continue to migrate your services to the cloud and make use of SaaS applications, it is critical to avoid the security gap that appears between your provider and your business. Ultimately you are responsible for your data and the users that access them, therefore selecting a credible provider who will assist you to implement effective security for your SaaS application is well worth the extra due diligence.