A practical option is to align your development methodology with an open, trusted framework or guidance, such as OWASP provides. A final key recommendation is to get some level of independent, third-party assessment and attestation of your success on a periodic basis.
This gives customers, investors, regulators and management peace of mind, and also ensures that you are where you think you are. Both these outcomes are business-critical given that trust is everything to growing a SaaS.
One unique aspect of SaaS security is that the software you need to secure is also your product, and security concerns are the biggest impediment to using your product or investing in your company. This situation argues for attaining the best third-party security attestation achievable; e. In fact, it often makes sense to focus first on the security of your SaaS application before wrapping security controls and processes like an ISO ISMS around that.
Another unique aspect of SaaS security is that every SaaS firm, by definition, processes client data. If that data includes personal information PI , personal health information PHI , high business impact data, etc. A further reason SaaS firms need to elevate their security is that customers exert greater pressure on you to iterate your solution, perhaps as often as once daily or even multiple times per day. This inherently drives a need for greater formality in ensuring that security processes are robust and followed unfailingly.
How you assess the security of your SaaS application and associated infrastructure is a central factor in how prospective customers and investors view the desirability of doing business with you. Being able to meet security demands and prove compliance is likewise central to your ability to scale your business and drive growth. Trust is the lubricant that reduce time to revenue by accelerating SaaS business deals, including both client contracts and venture funding.
Trust can make or break a SaaS provider. With security still the top barrier to SaaS adoption , does your security posture make prospects confident they can trust you with their data? How better than to attain a widely respected, independent security attestation from an accredited third-party? But which InfoSec attestation should you choose? A shared responsibility model is simply an acknowledgement that in any cloud deployment scenario each party logically has certain security and compliance obligations.
Most simplistically, CSPs are responsibility for security of the cloud infrastructure, while end customers are responsible for securing the data they store in the cloud. In a shared responsibility model, responsibility and control are two sides of the same coin.
Where control is abstracted away, so is accountability. Where you the SaaS provider are accountable, you have power and control to create a robust security posture. Then an administrator or SIEM solution can receive an alert, and decide if it's a false positive or a true positive. If a true positive incident is reported, the next step is action. Company security policy determines how to respond to incidents such as a sensitive file being emailed to an unauthorized party.
Never assume that just because your application runs through the cloud that you don't need to have your own backups. You can never have too many backups. What if something terrible happens to your web servers? Make sure the metadata of your files is included in your backups. Metadata plays a vital role in determining who created your files, how, and various permission and usage rights.
To simplify your operations, there are third party backup services such as Spanning , Barracuda , and Backupify. Comparison shop carefully. Identity and access management is just as important in your SaaS environment as it is in any of your other traditional applications hosted on your on-premises and corporate networks. Make sure that each employee, user, or authorized contractor who is allowed to use your SaaS application has authentication credentials that are unique to them.
Where passwords are used, a password policy is just as important for SaaS as it is for everything else. Not only should complexity be enforced, but also passwords should be changed at least once every three months. Where possible, there should also be an extra authentication vector, commonly referred to as two-factor authentication 2FA or multi-factor authentication MFA , such as a time delay code or a physical token such as a USB device. Access controls are also important.
Depending on the nature of your SaaS application, access rights can be determined by the user's role and network location. For example, a user may be denied access if they're outside of the company's network, such as on a home WLAN. Or they may need multifactor authentication if they're accessing their employer's SaaS application from home. Implement logging and monitoring controls. Not only should you log authentication and access events, and DLP-related events, you should also log various other metrics related to SaaS use.
In particular, watch for events either through your own logging capabilities, or by implementing other security products such as a SIEM such as when a user: Tries to acquire access to a function they're not authorized for. A role-based identity and access management solution can ensure that end users do not gain access to more resources than they require for their jobs. IAM solutions use processes and user access policies to determine what files and applications a particular user can access. An organization can apply role-based permissions to data so that end users will see only the data they're authorized to view.
Encrypt cloud data. Data encryption protects both data at rest in storage and data in transit between the end user and the cloud or between cloud applications. Government regulations usually require encryption of sensitive data.
Sensitive data includes financial information, healthcare data, and personally identifiable information PII. While a SaaS vendor may provide some type of encryption, an organization can enhance data security by applying its own encryption, such as by implementing a cloud access security broker CASB. Enforce data loss prevention DLP. DLP software monitors for sensitive data within SaaS applications or outgoing transmissions of sensitive data and blocks the transmission.
DLP software detects and prevents sensitive data from being downloaded to personal devices and blocks malware or hackers from attempting to access and download data. Monitor collaborative sharing of data. Collaboration controls can detect granular permissions on files that are shared with other users, including users outside the organization who access the file through a web link.
Employees may inadvertently or intentionally share confidential documents through email, team spaces, and cloud storage sites such as Dropbox. Check provider's security. The Cloud Adoption and Risk Report surveyed respondents on their trust of cloud providers' security. Clearly, not all of that customer trust is deserved. An audit of a SaaS provider can include checks on its compliance with data security and privacy regulations, data encryption policies, employee security practices, cybersecurity protection, and data segregation policies.
SaaS security solutions Several types of security solutions can help organizations improve SaaS security. Data loss prevention DLP safeguards intellectual property and protects sensitive data in cloud applications, as well as at endpoints such as laptops. Organizations can define data access policies that DLP enforces.
0コメント