By Greg Keller Posted December 1, 2015
Security is a top concern for organizations that leverage Software-as-a-Service (SaaS). While each SaaS provider does their security differently, we wanted to share the best ways to think about securing your SaaS infrastructure. We put this high-level guide together so that organizations can know what to look for in their SaaS providers, as well as be able to sniff out “good” security from the bad.
Identify Critical Data Before Choosing a Saas Solution
A word of caution first: Every SaaS solution is different. And every SaaS solution has a differing level of impact on your organization’s data. For example: You may view financial data as far more critical than, say, marketing metrics. Or, frankly, it could be vice versa. How you as a organization view this data, and its importance, should dictate what level of security scrutiny you apply.
The 6 Saas Levels To Secure within Your Company
At a high-level, we believe that security of SaaS-based systems can be broken down into six levels: cloud, network, server, user access, application, and data. That said,, there should be coordination between these levels, as well as a system that can collect all of this data in order to make sense of it. There also needs to be processes and training put in place. We are believers in a layered model for security, because each layer today can be a target. By systematically securing each layer, your Software-as-a-Service solution will be better secured.
Below is an overview of the various six layers that we think all SaaS providers — and you, as the customer — should consider securing. As always, this is not an exhaustive list, and we would be interested in hearing from other customers and SaaS providers on additional approaches they may take to lock down their service.
Most SaaS services are hosted in whole or in part on public cloud IaaS (Infrastructure-as-a-Service) providers. The first (and most important) layer of security comes in this category. If your cloud credentials are compromised, most of the rest of the layers in this article can become moot. While some cloud providers do little around system-level user account provisioning, some providers allow you to do user provisioning directly from your cloud console. This means that even locking down your cloud user accounts may not help if your cloud login credentials are lost or stolen. It’s imperative that you protect your cloud credentials by limiting access to specific resources based on a specific need. Any time username or password credentials are used, multi-factor authentication should also be enforced: no IaaS, PaaS or even SaaS user account should be accessible without two factors of authentication.
At its core, securing the network layer means ensuring that only the right traffic can get to your systems, and bad traffic cannot. There may be a variety of techniques that you use, but fundamentally the goal is controlling traffic. The approach you’ll use may be tactically different if you are leveraging your own data center versus utilizing a third-party provider like AWS or Google Compute Engine. In general, you’ll want to reduce the ways that good or bad traffic can get your systems, and then filter that traffic for only what is effectively good. Virtually all of the major IaaS players help provide tools to limit your exposure at the network layer. You may choose to leverage additional mechanisms to “cleanse” the traffic, but that may or may not be necessary, depending upon what you do at the other layers.
The server layer also needs to be locked down. Generally, this consists of limiting what is on the machines, hardening the system by closing ports and turning off services, and ensuring that the system is patched. A good configuration management and automation system can help dramatically with this problem, but the approach should be to find an operating system version that works well for your application that can also be secured. A critical part of the process here should be updating your software on a regular basis. Just as most companies have moved to continuous integration with their application, they need to do that with their base operating system as well. This will help ensure that the latest, most secure software is leveraged. Note, your strategy here may change slightly with containers, but the concepts still apply.
4. User Access
Perhaps the area of greatest weakness in any system is the control of user access. Credentials can be compromised. Credentials are often reused, and dormant accounts can exist on machines that increase the chances of being compromised. The good news is that IT tools can help. A solution called Directory-as-a-Service can implement tight controls over who needs to access machines, when, and, if they leave, terminate access. Every SaaS organization should have full visibility over every person that has access to production machines. Multi-factor authentication and complex passwords should be enabled.
At the application layer, the more significant risks are in the form of coding errors. Developers are often moving fast pushing out features. Code reviews and penetration testing should help find common errors that can be leveraged to hijack the application or database. The OWASP Top 10 list is an excellent place to start and can help you find issues with your code. As a reminder: The issue may not be just with your code, but it could be in third party libraries or components that you utilize. Those should be screened and tested as well to the extent that they can be.
Of course a customer’s data also needs to be secured. This can be done by encrypting the data at rest and in-flight. The key, however, is how to protect those keys. Encryption keys need to be safeguarded and the overall architecture of where data lives, where it is encrypted, and where it is decrypted needs to be thought through to ensure that the flow is as secure as possible. An encrypted database with the keys right next to the database doesn’t help anybody, if the machine has been compromised. Take care that the effort you are putting into encrypting data is really worth it.
The Human Layer and Beyond
While these are the six layers that we would advocate securing, there is one other layer that we would be remiss not to mention: the human layer. Social engineering attacks are on the rise and getting more sophisticated. You could say that phishing attacks were a form of social engineering, but the clumsy emails have given way to highly targeted, sophisticated attacks on specific individuals. Ensure that your policies protect you from these attacks, but also spend time training your team on how to thwart these attacks.
As the world moves to SaaS – and it is happening on a mass scale – dig deeply into how you can secure your infrastructure. Leverage key capabilities, such as Directory-as-a-Service, that will help you secure your systems. But also build the right processes to help support a security mindset. If you have any questions about what we mentioned in this post, drop us a note. As a SaaS provider ourselves, we can definitely talk from experience about different approaches to security that we have seen work, as well as those that have not worked. Also, feel free to send us a note about additional ideas you may have on this topic.