Inside this re-purposed gymnasium in Houston, Texas, “there’s always 100 million things that can be done.” In addition to her normal workload, she now manages a food and supply warehouse for…
Executives are increasingly facing the task of balancing the advantages of productivity gains against significant concerns about security and compliance as enterprises move their applications and data to the cloud. Security in the cloud is nothing like the security in your corporate data center. When you have no real physical control over the infrastructure you’re trying to secure, you’ll have to familiarize yourself with new rules and cultivate a different way of looking at things.
Consider application security scanners or looking to companies providing application scanning services, during your development and testing process. You could also use source code scanners as a part of nightly builds. These tools and services are automated, providing you with a quick, detailed analysis of security issues. Moreover, you don’t have to be a security expert to run and use these tools. And if you happen to be running short of budget, there are enough free, open-sourced tools available. Now before we get to the best practices for securing your SaaS application, let’s talk about the security challenges.
Most enterprises are comfortable with the traditional on-premise model, where their data resides within their enterprise boundary, subject to their policies. So of course, there is a great deal of discomfort with the lack of control and understanding of how their data is being stored and secured in the SaaS model. All this gives rise to substantial concerns about data breaches and application vulnerabilities, which could lead to financial and legal liabilities.
SaaS solutions are either deployed on a public cloud or hosted by a SaaS vendor. In a self-hosted deployment, you’ll have to ensure adequate safeguards are adopted to protect yourself against network penetration and DoS attacks. On the other hand, dedicated cloud providers like Amazon and Google shoulder the responsibility of securing SaaS applications by providing infrastructure services aiding in ensuring data security, data segregation, network security, etc. If you choose to deploy your SaaS application on public clouds, make sure the security settings are conforming to the best practices recommended by the public cloud vendor.
One of the two most essential certifications you should concern yourself with is the PCI DSS. For this certification, a SaaS provider will have to undergo detailed audits to ensure sensitive data is stored, processed and transmitted in a completely protected manner. The is indeed a multifaceted security standard including requirements for security management, procedures, policies, software design, network architecture and other critical protective measures. Now the SOC 2 Type II is helpful when it comes to regulatory compliance oversight, internal risk management processes and vendor management programs. The SOC 2 certification ensures a cloud service is mainly designed and conscientiously managed to maintain the highest level of data security. Both these certifications offer useful comparative information about the cloud service providers you’re considering.
To ensure the highest level of security, all interaction with servers must happen over SSL transmission. Only within the cloud service provider network should the SSL terminate. For data at rest too, encryption is essential. Ideally, field-level encryption is also provided by your cloud service provider. You should be able to specify the fields you want to encrypt, be it credit card number, SSN or CPF.
Make sure the vulnerability and incident response tools provided by your cloud service vendor are industry-leading ones. The solutions offered by these incidence response tools enable fully automated security assessments, which test for system weaknesses, dramatically shortening the time between critical security audits. Varying from device to device and network to network, you will be able to decide how often a vulnerability assessment is required. Further, you can schedule or perform scans on demand.
As specified in a customer contract, after a customer’s data retention period has ended, the customer’s data must be programmatically deleted.
To ensure compliance with internal and external data security standards of your organization, with user-level data security, add protective layers. Your cloud service vendor will provide role-based access control (RBAC) features, allowing you to set user-specific access and editing permissions for your data. This system enables an access control-based, fine-grained, enforced segregation of duties within an organization.
Rather than leveraging a multi-tenant instance, your SaaS provider should be able to facilitate a cloud environment meant only for you, in which you have entire control over the data. This is referred to as a virtual private cloud (VPC) by Amazon Web Services (AWS). Clients can securely connect to your corporate data center, all traffic to and from instances in their VPC is routed to their corporate data center over an industry standard encrypted, Internet Protocol security (IPsec) hardware VPN connection.
The significant benefits offered by the Software as a Service (SaaS) model, such as improved operational efficiency and reduced costs are reason enough to adopt this model. However, to overcome your concerns about application and data security, ensure the vendor you go with is addressing these issues head-on. When we come down to it, these concerns generally stem from our lack of control and visibility into how our data is being stored and secured by SaaS vendors.
The adoption of SaaS security practices, from secure product engineering, deployment, GRC audits, to the regular SaaS security assessment, is vital to securing SaaS solutions and addressing our fears. These measures will help identify any security issues upfront and ensure the safety of our data. The points mentioned above are just some of the key security provisions any cloud service provider should build into its cloud service. In-depth defense is traditionally a matter of strict design principles and security policies, practiced across departments and areas of expertise.
The NFL is a brutal sport. Grown Men, most over six feet tall and over 200 lbs, running full speed into each other in the hopes of one of them falling to the ground. Preferably the one holding the…
As a Recruiter at Richemont APAC, Cecilia Lee is more used to ask candidates questions than being asked back: in this article, she’ll play the game and be the interviewee! The team is great, we all…
Planning for a vacation, or even a date night, can be a big pain if your looking to do something out of the norm. People end up visiting the same spots over and over again; that park down by the…