Lured by the promise of lower operating costs and improved flexibility, many businesses are continuing to increase their usage of software-as-a-service (SaaS) offerings.
Designed to provide support to almost every function within a business, SaaS platforms remove the need for cumbersome, on-premise infrastructure. Delivered from the cloud, they can be quickly configured and scaled to match changes in demand.
However, while they offer enticing benefits, SaaS platforms can also result in some significant security challenges. With resources now housed outside the traditional corporate firewall, new methods must be found to ensure they remain resilient to attack or misuse.
Challenges are also caused by the fact that SaaS platforms are – by design – public facing. This can potentially make them attractive targets for cybercriminals who are keen to gain access to the valuable business data stored within them.
Most SaaS platforms have also been designed to be as efficient as possible for the vendor operating them. This means access is usually via APIs and users have little or no access to the underlying technology.
Strengthening SaaS security
The first step a business can take to improve the security of its SaaS applications is to make an inventory of all that are being used across the organisation. These could be anywhere from the back office and call centre to front office, warehouse, and manufacturing facilities.
The next step is to compile a list of any ‘unofficial’ SaaS products that are being used by staff. These may not have been approved by the IT department but have still become part of many daily workflows. Examples include services such as Dropbox and Google Docs.
Once this has been completed, the next step is to examine how staff are authenticating themselves and gaining access to the various SaaS platforms being used. Multiple log-in methods can create multiple weak points that can be exploited by an attacker.
To combat this issue, companies can introduce a single sign-on strategy. This will remove the need for staff to manage multiple passwords and other credentials and can ensure that only those who are authorised can access the SaaS resources.
An additional recommended step is to deploy multi-factor authentication. This ensures that, even if an attacker is able to obtain login credentials, they still won’t be able to gain access to the SaaS resources.
Following this, the IT team should adopt a strategy that can be dubbed ‘watching the watcher’. Most SaaS platforms will either write audit data out to a third party or provide a logging or event API. By constantly monitoring this data, the team will be able to spot unusual activity or unauthorised access and take immediate steps to remedy the situation.
Consider disaster recovery
The IT team also needs to ensure there are clear plans in place for that steps that will be followed should a security breach occur within the SaaS resources being used by the business. There also needs to be a clear understanding of what will be done by the SaaS platform provider and what will remain the responsibility of the business.
The plan should cover aspects such as how data backups will be used to bring systems back online and the timeframe in which this can be achieved. Other factors that need to be covered include responses to major network outages or disruption to the SaaS providers data centre.
These issues need to be closely examined before any initial SaaS contract is signed. If a vendor cannot confirm that they have the ability to switch to an alternative facility should problems arise, it will be best to select another.
It’s also important to consider what the impact of a SaaS security breach would be on other applications and processes within the business. If they are reliant on data feeds, for example, from a SaaS platform, a breach there could have a flow-on effect in other areas.
By taking these steps and being mindful of maintaining effective security around all SaaS platforms being used, a business will be well placed to enjoy the benefits on offer while also minimising the chance of a damaging breach or disruption. In this way, the flexibility and cost effectiveness of SaaS will be fully realised.