Software as a Service (SaaS) is huge. More and more developers are choosing SaaS as the delivery mechanism of their software and services, and more and more businesses are using it. Where you or your organization have internally-developed, SaaS-delivered applications, ensuring the security of those applications is critical to both the security of the data, and minimizing risks to your organization!
Web development has made leaps and bounds in functionality since Tim Berners-Lee invented the web in 1990. Now web applications serving SaaS offer functions like CAD software, DBMS software, payroll, accounting, record keeping, collaboration, enterprise resource planning, and more. With SaaS, the sky's the limit! But sensitive data often goes through the endpoints that users deal with, and the servers that drive SaaS. Protecting your SaaS development and production infrastructure from cyber-attacks is crucial. Following are best practices for when your company is ready to offer your own SaaS application. Keep in mind that these are some basics, rather than a comprehensive guide.
Security Controls
Your SaaS infrastructure should have built-in controls to manage user access and data in a secure way.
- Data and application controls help to keep your data secure. There are different mechanisms you can employ:
- Data encryption is a mechanism all SaaS systems should have. Whichever ciphers you use, the encryption keys should be managed and stored securely within a key management system (KMS), which can be as simple as a secure server that operates in your premises, with a trusted third party, or in some other physical or logical proprietary or open source solution. As much as possible, data should be encrypted, both when at rest (such as when it's stored on a disk) and while it's in transit.
- Data loss prevention (DLP) mechanisms and policies should also be employed. There are two aspects to DLP, detection and action. DLP detection systems can look for certain keywords and phrases in transmitted text to determine if your corporation's sensitive data is being leaked to an unauthorized party or entity. There are also SaaS APIs you may implement in your development that can determine events such as when a file is opened, and by whom. All such events can be configured to appear in DLP logging. Then an administrator or SIEM solution can receive an alert, and decide if it's a false positive or a true positive. If a true positive incident is reported, the next step is action. Company security policy determines how to respond to incidents such as a sensitive file being emailed to an unauthorized party.
- Never assume that just because your application runs through the cloud that you don't need to have your own backups. You can never have too many backups. What if something terrible happens to your web servers? Make sure the metadata of your files is included in your backups. Metadata plays a vital role in determining who created your files, how, and various permission and usage rights. To simplify your operations, there are third party backup services such as Spanning, Barracuda, and Backupify. Comparison shop carefully.
- Identity and access management is just as important in your SaaS environment as it is in any of your other traditional applications hosted on your on-premises and corporate networks.
- Make sure that each employee, user, or authorized contractor who is allowed to use your SaaS application has authentication credentials that are unique to them.
- Where passwords are used, a password policy is just as important for SaaS as it is for everything else. Not only should complexity be enforced, but also passwords should be changed at least once every three months.
- Where possible, there should also be an extra authentication vector, commonly referred to as two-factor authentication (2FA) or multi-factor authentication (MFA), such as a time delay code or a physical token such as a USB device.
- Access controls are also important. Depending on the nature of your SaaS application, access rights can be determined by the user's role and network location. For example, a user may be denied access if they're outside of the company's network, such as on a home WLAN. Or they may need multifactor authentication if they're accessing their employer's SaaS application from home.
- Implement logging and monitoring controls. Not only should you log authentication and access events, and DLP-related events, you should also log various other metrics related to SaaS use. In particular, watch for events (either through your own logging capabilities, or by implementing other security products such as a SIEM) such as when a user:
- Tries to acquire access to a function they're not authorized for.
- Uploads and/or downloads a lot more data than usual.
- Connects from two very different geographic locations within an unrealistic time frame. For example, how could you log in from New York at 10am, and then log in from Los Angeles at noon?
Always Evaluate and Change
Most general cybersecurity widsom applies to SaaS as much as it does to all of your other computer technology systems.
More and more SaaS security controls and services are also transmitted through the cloud. From time to time, evaluate which security controls and systems should be done in house, or via third party cloud services. Choose your hosting providers and security vendors carefully, and look out for when they offer new products and services.
Penetration test your SaaS applications and infrastructure at least once or twice per year. Employ red teams, blue teams, and purple teams. (Blue teams penetration test from a defensive perspective, purple teams test both offensively and defensively.) Consider their findings carefully.
Evaluate all of your security policies and mechanisms every so often. Do so as at least as frequently as you hire penetration testing. Don't hesitate to spend money on employee training, networking, security testing, hardware, software.
Watch for OWASP's Top Security Issues
An extremely valuable resource to review while developing or enhancing your internally-developed, SaaS-delivered applications is the Open Web Application Security Project (OWAP), which has a list of the top security issues that web applications face. Be mindful of these issues (bulleted below), and make sure that you have mechanisms, applications, policies, and procedures to address them.
- Malicious code injection via SQL, LDAP, and operating systems
- Insecure authentication and session management
- Data integrity vulnerabilities that enable cross-site scripting
- Exposing references like files and directories insecurely
- Cross-site request forgery
- Poor database, operating system, and middleware configuration
- Exposing sensitive data, such as authentication credentials, and personal information
- Using components with known vulnerabilities
- Access checks on the server side or inside business logic
- Un-validated redirects and forwards
My tips should prepare you to design and implement a secure SaaS system. For further reading, I recommend Intel SaaS Security: Best Practices, Minimizing Risk in the Cloud whitepaper and Hightail's SaaS Security Assessment Guide.