Software as a service and Security in Cloud Computing

Home >> Software as a service and Security in Cloud Computing

What you need to know about software as a service and security in cloud computing

It’s probably safe to say that the many advantages of the software-as-a-service (SaaS) model mean that it’s here to stay for the foreseeable future. This means that companies are going to need to develop at least a basic understanding of what it means for security in general and data protection in particular. With that in mind, here is a quick guide to what you need to know about software as a service and security in cloud computing.

SaaS makes security a dual responsibility

With SaaS, as with pretty much everything else to do with the cloud, security is a dual responsibility. The provider is responsible for securing their cloud platform against external threats (environmental and human) and the customer is responsible for managing their own accesses to ensure that they are not misused by their own staff or anyone else.

Software as a service and Security in Cloud Computing

With SaaS you are very much dependent on your service provider’s security

SaaS is typically offered in a public cloud environment, in other words, customers access a service that is used by other, unrelated, customers, of whom they have no knowledge and over whom they have no control.

This means that in addition to the standard threat of cyberattackers, you have the theoretical possibility that another customer will either be leaked your data or use their access to breach the “invisible walls”, which are supposed to separate customers from each other and give the illusion of complete privacy. For the sake of completeness, at present, we are not aware of any real-world instances where this has happened, just “proof-of-concept” demonstrations.

Because of this, it’s really important to make sure that you are working with a reputable SaaS provider and make sure that you understand as much as possible about their security and how they implement it. Obviously, the exact details of the security system will almost certainly be a closely-guarded secret but many providers will give customers a thorough overview of what sort of processes and tools they use to make sure that their platform has robust protection.

Unauthorized use of SaaS can be a major security threat

You can only scrutinize a vendor’s security when you know you are using a vendor and you can only decide what additional security processes are required for a SaaS platform when you are aware that you are using it. It’s not enough just to tell employees that they must get permission before signing up to a SaaS platform (especially since they may not grasp what a SaaS platform actually is). You need to keep monitoring and auditing your network usage so that you quickly identify who is using what and take remedial access as necessary.

For the sake of completeness, if you have a fairly relaxed network-usage policy, employees may use unauthorized SaaS services for their own purposes, for example, during their lunch break. In principle, you may be fine with this, but you will still need to check firstly that their activity is personal and does not involve any of your data and secondly that there is no other way that their SaaS usage might compromise your security.

Your SaaS security is only as good as your identity and access management

Identity and access management is core to all forms of security and SaaS is no exception. The good news is that it’s fairly straightforward to implement a very granular level of access control – once you have defined exactly who needs access to exactly what. There also needs to be a process in place to ensure that accesses are reviewed periodically, even if people stay within the same role.

If you’re handling sensitive data, you need to manage it effectively

This is also far from unique to the SaaS environment, but it does have particular implications for SaaS use because SaaS platforms give you limited visibility of how the SaaS provider manages your data, which means that unless you have reliable guarantees that they will be implementing the highest levels of data security, especially encryption, you’ll need to do it yourself.

Even if your SaaS provider is prepared to guarantee the highest levels of data security, you’ll still need to manage your own employees, or perhaps it would be better to say your own accesses, to ensure that they are not misused deliberately or accidentally. In addition to guarding against data loss, you’ll need to take precautions against data corruption. This is particularly important for those working in regulated environments, but really has implications for just about any company using SaaS.

If you’d like to know more about software as a service and security in cloud computing, please click here now to contact Aperio.IT.

Service Provider Security