SaaS security checklist: 6 steps to stay productive and safe in the cloud

SaaS security

It’s safe to say that 2022 wasn’t the year of SaaS security. Over a single week in March, Microsoft, Okta and HubSpot all announced having suffered data breaches. Microsoft was targeted by hacking group DEV-0537, HubSpot uncovered an employee account that was used to export contact data, and Okta was hit through a compromised subcontractor computer. MailChimp saw two data breaches over a four-month period, with one of them costing it a client.

Software-as-a-service, or SaaS, has transformed how businesses work and has been pivotal to the Great Transition to remote work of 2020. By 2021, it has evolved into a 165.9-billion-dollar global market, which is forecast to expand at a compound annual growth rate of 11% from 2022 to 2028. The rising adoption of public cloud services will remain a major driver behind this growth, with companies looking to slash costs and boost flexibility.

However, security concerns around moving data assets from companies’ internal networks to external ones can easily become a bottleneck to this goal. Adopters must make sure that their data is kept safe both in transit and at rest, mitigate the risk of employees using shadow applications, and minimize authorization gaps, among other things. And do so while ticking compliance boxes, from industry standards to international law.

In this article, we’ll explore what SaaS security means, why it matters and what you should consider when vetting and rolling out SaaS products to ensure maximum rewards and minimal risks.

Tackling data and application security: SaaS edition

Security in SaaS refers to the need for companies who move their data from in-house to vendor-hosted servers to address a key safety and privacy concern inherent in such environments. This is the fact that their data assets, including sensitive and business-critical information, are handed over to a third party whose security protocols and practices they have little to no control over.

SaaS security means making sure that no actor, malicious, unauthorized, or negligent, can trigger or exploit this vulnerability by setting up the right operational, compliance, and reporting safeguards.

This raises an important question: who is responsible for maintaining a secure SaaS – those who provide or those who use it? The short answer is ‘both.’ That said, the amount of responsibility each party assumes strongly depends on the type of cloud service used and the way the service provider chooses to implement it, the UK’s National Cyber Security Centre (NCSC) points out.

SaaS cybersecurity: 4 key SaaS security issues to look out for

1. Identity and access management

As illustrated by the security incidents mentioned in the beginning, the employees of a cloud service provider can easily become a liability for SaaS adopters, opening the door for new attack vectors from brute force to socially engineered attacks.

2. Regulatory compliance

According to McKinsey’s Customer Perspectives on SaaS Survey, product compliance is a major CISO concern. Respondents said they’re often unsure if SaaS solutions actually meet their data protection compliance needs or providers just say they do.

3. Data protection

According to Moody’s Analytics, the solution provider’s methodology for preventing data breaches, primarily by using various methods for data encryption both at rest and in transit, is the single most important security practice for SaaS applications.

4. Misconfigurations

The more customized the SaaS application, the more complex the configuration for users – and the more exploitable the system is for hackers. Between 2018 and 2019, breaches caused by cloud misconfigurations cost businesses some $5 trillion worldwide.

SaaS cloud security checklist: 6 SaaS security best practices for new adopters

1. Check for recommendations from cybersecurity authorities

Browse both local and global cybersecurity organizations' resources for guidance on SaaS adoption. The NCSC, for example, has published comprehensive and in-depth guidelines on how to choose and deploy cloud services securely. Definitely go through their 14-point list of cloud security principles for organizations to gauge how well a cloud service is designed, built, and run – as well as security reviews of some of the most popular SaaS offerings out there.

2. Review data access controls and enforcement practices

Does the SaaS vendor have access to the data you store on its servers? The answer you’re looking to hear is ‘no.’ No cloud service provider should be able to read your data or provide ambiguous information on the steps they take to safeguard it. Also make sure to review all available security documentation on what precautions, policies, and practices the vendor has in place to ensure maximum protection and transparency in handling your data assets.

3. Map the flow and security of data across the SaaS servers

The first question to ask yourself here is what type of data will change hands when you use the SaaS solution. Beyond IP concerns, data processing regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) might severely impact the provider vetting process depending on the jurisdiction your business resides in – along with the people whose data it processes.

Next, explore the solution provider’s security posture – and don’t settle for less information than what you’d require about on-premise applications. These might cover available encryption methods, business continuity and disaster recovery plans, security track record, software development cycles and deployment pipelines, and any details you need to fully grasp the risk profile of both the cloud environment and the organization that supplies it.

This brings us to another key question to implore here: ‘Who will the service provider share your data with?’ Ideally, no one. But in reality, fourth-party access to your data can be legitimate and necessary, ISACA experts point out. Always ask your cloud vendors about potential supply chain dependencies, keep an eye on external applications integrated into your SaaS environment, and embrace the zero-trust approach to user and device access.

4. Run a legal review on compliance with applicable data protection laws

As we’ve already explained, SaaS compliance with data protection rules is a must. These include regulatory, privacy, and data protection requirements according to what space, industry, and geography your business operates in. Besides much buzzed-about data protection laws such GDPR and HIPAA, industry standards like the Payment Card Industry Data Security Standard (PCI DSS) also require companies to proactively secure personal information.

Confirm data residency and if you can change where your information is stored with the SaaS provider. An often-overlooked facet of data protection laws is what they say about where companies can store personal data. However, as cloud providers move and store data across borders and data centers, it’s imperative for users to keep abreast of applicable data residency requirements. For example, when EU residents’ personal data is transferred outside the bloc, the protection offered by the GDPR should travel with the data.

While we’re on the topic of GDPR: find out if you need a DPA to use the service. GDPR-bound businesses must have a data processing agreement, or DPA, in place with all their data processors. These agreements are key to GDPR compliance, as they define what data processors should, can, and cannot do with personal data in terms of how it’s stored, accessed, used, and kept safe. In other words, demonstrate that data processors are able and willing to guarantee sufficient levels of protection for the data they’re trusted with.

5. Confirm compliance with relevant international standards

Check if the solution provider is ISO 27000-certified. ISO 27000 is a widely used family of standards that offers best practices to help organizations improve their information security as well as a systematic approach to risk management built around people, processes, and technology. While no badge of compliance can replace a comprehensive security review, standards like these do provide an added layer of confidence.

Does the vendor have SOC2 compliance? A must-have for complex environments with plugins or data flows across cloud providers, SOC2 is a certification and auditing process to assess a company’s controls pertaining to the security, availability, and processing integrity of the systems the service organization uses to process user data as well as the confidentiality and privacy of the information handled by these systems.

6. Run a security audit to uncover security blindspots

Perform a comprehensive cybersecurity audit to get a clear idea of your cloud attack surface. Examine at-rest and in-transit data security, review authentication options such as enterprise single sign-on (SSO) and multifactor authentication (MFA), and check the availability and sophistication of role-based access control mechanisms.

Also, never underestimate your users’ willingness to hack around a solution that isn’t straightforward and convenient to use. Evaluate if the security features offered by the SaaS solution fall into this category as well as the number of system administrators you’ll need to efficiently manage users and ensure a seamless experience.

SaaS encryption: how E2EE can boost cloud security

SaaS solutions that use end-to-end encryption, E2EE for short, are infinitely more secure than those that don’t. Not to mention that they eliminate several of the above SaaS security risks and concerns by design, such as:

  • Data access risk – E2EE means that no one but you can access the data stored on their servers. Should any of your encrypted information leak, it would still remain unreadable to unauthorized users, including malicious actors.
  • Compliance shortfalls – End-to-end encryption can significantly improve compliance in cases where data protection is required by law, such as the HIPAA for health records or by professional standards like the PCI DSS.
  • Breach notifications – Encrypted data is unintelligible to anyone without your encryption key. Thus, the GDPR’s 72-hour data breach notification rule does not apply, as no individual can possibly be identified from your encrypted content.

Tresorit: a no-stress, no-hassle way to SaaS data security

An end-to-end encrypted cloud storage and collaboration platform, Tresorit empowers you to:

  • Use end-to-end encryption to boost productivity and security Exchange files securely with external collaborators, including clients and vendors, using encrypted links. Ultra-secure share links enable zero-knowledge, end-to-end encrypted document and folder sharing with anyone in just a few clicks or taps.
  • Prevent data breaches due to human error and malicious attacks Apply policy templates, including 2-step verification, IP filtering, timeout policies, and sharing policies, to a set of users, create different policies for each template, and modify these policies at any moment through a single interface.
  • Keep access secure and limited Manage files at a granular level, plus monitor and decide which devices are allowed to access which files within the organization and from where users are allowed to log in to their company account to safeguard critical data assets.
  • Ensure data confidentiality and integrity The GDPR requires users to have a level of access to personal data that is strictly necessary for them to carry out their jobs. Use Tresorit’s permission settings to make sure that access to data is restricted on a need-to-know basis.

Sounds like a good fit for your business? See what else Tresorit has to offer.