Software as a Service (SaaS) has emerged as a popular delivery model to increase the efficiency of business-driven IT services. Ease of implementation and lower IT costs via “pay as you go” models have proven attractive for enterprises desiring the benefits of modern applications without having to invest in and delivery these services internally.
Because SaaS services can be hosted in public cloud environments, a number of security concerns can result from lack of control over and visibility into the SaaS provider’s security environment. In the SaaS model, client data is governed by the provider’s framework, not the client’s.
Following are key questions organizations can ask to ensure their SaaS provider is maintaining the confidentiality and integrity of data in transmission and storage.
- Are appropriate encryption mechanisms used for data in transit and storage?
- Is the latest approved version of secure socket layer-SSL/transport layer security-TLS used to protect data sent from client systems to the SaaS provider?
- What encryption key management is used to protect sensitive data in storage? Are governing body-approved algorithms implemented? Are encryption keys rotated regularly? Are advanced encryption products, available to provide specified, privileged user access to encrypted data fields while maintaining data encryption for remaining users?
- Has the SaaS provider passed national and/or international compliance audits to host sensitive data, e.g. Payment Card Industry (PCI) information, personal data or Personally Identifiable Information (PII)? If so, audit results can be requested as a way to verify controls are in place. Data center-specific assessment results also can be obtained for analysis and verification. If providing services in the European Union, has the provider addressed the impending requirements of the General Data Protection Regulation?
- What data backup and replication approaches and locations are in use? In some cases, SaaS vendors will replicate client data to multiple data centers to maintain failover or high availability. Replication may also occur across geographically-dispersed locations, even across national borders. SaaS clients should seek to understand the legal jurisdictions and locations in which copies of their data would reside.
- For government clients, does the provider have a relevant certification or authority to operate (ATO), e.g., FedRAMP ATO for U.S. government agencies or G-Cloud certification for UK governments?
- Does the SaaS provider use agent-based services that provide less invasive access from the client network?
- Does the provider use secure SaaS software development and product engineering to ensure security is considered in the SaaS product development lifecycle?
SaaS clients also may wish to engage their provider’s security team to learn the details about the management, operational and technical security controls they employ to protect client data.
But there also are things SaaS clients themselves can do on their side of the house, such as outbound firewall filtering to restrict access via internal networks to just the IP addresses required to provide the SaaS services, or restricting access to SaaS services from only a subset of internal IP’s. SaaS clients also can implement role-based access control to SaaS services and use multi-factor authentication to ensure integrity of access.
CGI can help organizations with assessing the security of their SaaS environments and evaluating proxy or tokenization technology. Our services are offered as part of our hybrid IT management suite, CGI Unify360. We continually evaluate new security technologies to provide additional layers of confidentiality for data processed or stored. Such technologies are especially relevant for our clients whose data would be stored in a cloud or by a SaaS provider incorporated in a country other than their own.
For further reading on cloud security, I invite you to my colleague Paul Douthit’s recent blog on the topic of “lessons learned in securing clouds and achieving compliance objectives.”