Software companies have naturally embraced the cloud. It provides countless benefits for their clients, ranging from the lack of installation or maintenance of on-premises solutions to the ease of scalability. However, with benefits come risks as it provides Threat Actors with a single, centralised internet-facing target. Consequently, security becomes paramount.
If you are a SaaS provider, your customers will want to ensure that security risks have been addressed for the platform. So, let’s look at the top 5 minimum best security practices that all SaaS providers should implement before taking the platform live. These are the essentials for security management.
- Data is encrypted
Unencrypted traffic could be intercepted by well-positioned attackers and thereby impact the confidentiality and integrity of the data. Therefore, it is vital that data in any form of transit to the cloud application should be encrypted using TLS 1.2 or above and utilise known and public authorities to ensure external certificates are trusted. Similarly, communication between microservices should be encrypted if they leave the cloud service’s virtual networks.
- Authentication and Authorisation
It is vital to ensure privilege separation (i.e. multiple levels of user access on the application), ranging from a low privileged account (such as a guest) to a tenant administrator. Furthermore, the application should allow multi-factor authentication where the policy could be enforced by one of the SaaS customer’s administrative accounts. Finally, if the SaaS application provides an API, these principles should be applied to it also, albeit utilising different means.
- Continuous patching and testing
Conducting regular penetration testing exercises against the SaaS application and its underlining infrastructure is a key control required to ensure the continued confidentiality, integrity, and availability of the data it processes. More importantly, the test results must be actioned upon where the identified vulnerabilities are remediated and their root causes being identified and addressed.
Beyond security penetration testing, the SaaS provider should have a robust vulnerability management programme. This would involve vulnerability scanning on a regular, periodic basis and prioritising findings based on severity, ease of exploitation and difficulties of remedial action.
- Logging and monitoring
Being able to trace events is a vital component in your defences. If you don’t have visibility on actions performed on your assets, how are you supposed to defend them? These can then be fed into monitoring tools (i.e. SIEMs) to aggregate and correlate events, alerts and incidents. SaaS clients may also want to use their application logs for similar purposes; therefore, it is important these are provided to them. Doing so allows SaaS customers to have accountability and traceability of all actions performed. Finally, transparency is key. For instance, if you are logging certain actions performed by clients, this should be made clear to them. This goes for any aspect of security where it should be transparent to customers details on the security features that are implemented and how best to configure them.
- Incident response
It is vital to both plan and prepare for cyber incidents. These could range from Denial-of-Service attacks against the infrastructure to the data on the application being encrypted in a ransomware attack. For each one of these scenarios, the SaaS provider should develop and rehearse incident response plans. Finally, executives should be trained and tested during tabletop exercises conducted and executed by a trusted third party who has full knowledge of Business Continuity, Disaster Recovery and Incident Response plans.
Security doesn’t stop here
These are just the top 5. The absolute minimum that your provider should be implementing. For a full list, see the National Cyber Security Centre’s Software as a Service (SaaS) security guidance. It’s a good idea to only consider those SaaS providers that are SOC 2 compliant as the framework requires that selected security criteria are appropriately addressed and evidenced. It doesn’t get any better than that.
Do you have a specific question about SaaS security? Get in touch with the Crew. We are happy to help, it’s what we do at Risk Crew.
