Simple SaaS security tips

Most people and companies are now using a significant amount of SaaS solutions. Companies are running sales support software, file sharing, collaboration, e-mail and a lot more in the cloud.

But that usage also leads to concerns about the security of those solutions. How safe are they? What risks do we run?

Here are a couple of tips to increase the security of those applications.

The biggest risks to handle in using SaaS are leaking data and losing control. And the top way to control theses risks is simple: watch your passwords, and know how to survive a cloud provider exit.

If you look at famous data breaches in the past year, such as the i-Cloud celebrity hack, you will find out that most of them have to do with weak passwords and password reminders.

Improving the protection that passwords offer is often fairly easy. Security experts recommend using so-called two-factor authentication. This basically means that you use more than one way to prove your identity. Examples include security tokens or dongles, and fingerprint scanners.

This used to be inconvenient for the user, but in the past years a number of usable scenarios have been developed. It does not have to be a daily hassle, and you don’t have to fear being locked out.

For example, you can configure your Dropbox account to ask you for an SMS confirmation when you use it on a computer you have not used before. Check it out, they have really thought this out well, and there is absolutely no excuse to not use this. You will find it under Account -> Settings -> Security.

Gmail too allows you set up security like this, and once you have done this it will alert you of suspicious activity. Like with Dropbox, the easiest thing is to use your mobile phone, but they also support additional extra tools. No need to be scared if you lose your phone.

Other services that you use might have some of these features as well. Go explore.

If you are the administrator of a cloud service this is even more important because you will be the prime target of any hacker.

As a cloud service administrator there are a few other basic things to do too. If feasible you should first create a secondary administrator account to do day to day work with. If that account gets compromised, you will have the first account to fall back onto.

Another basic cloud service administrator task is to apply hygiene on your user list. Regularly review if the users are still active in your company or project, and that they don’t have more rights than they need to have. (In larger organizations this is better done by ‘identity federation’, so you don’t have to do this on a service by service basis.) You don’t really want former employees or contractors to still have access.

I ran into a simple example the other day on a Google Docs document. It was not mine, but I could totally edit it. They may have wanted to give me some access, but it would be better to give me “Comment” or “Review” access.

Losing the provider or the data that is stored at the service is the other big risk. And preparing for losing all your data can also protect you against losing some of your data.

There are so many reasons why a provider may stop servicing you. They could have a hiccup, they could suffer from a disaster, they could go out of business, or they go in a direction that you don’t like. In all cases it makes sense to have an ‘exit plan’ or ‘plan B’: a plan to move to a different provider.

If you don’t have an exit plan, you are basically saying that you accept the risk of losing the data that is at that provider and the capability to use that data. This could be a valid decision. I am not that interested in my Doodle archive, for example, so making a backup of that is not a big concern.

At its most basic, an exit plan describes how your most valuable data is stored in a secondary place. For example, my Gmail mail archive is also on my laptop as it is automatically downloaded by my mail program. Moving to a new mail provider, should I want to get away from Gmail, is not something I have spend much time thinking on, but with the mail and contacts safely stored elsewhere I am confident that a new provider will help me do that migration.

For my customer management system I make regular copies of the entire customer database and contact details. Again, moving to a different provider will be a hassle, but not impossible.

If your business really depends on it, you may want to have a cloud system on ‘hot standby’. However, most of the times, this is not very easy with SaaS, because no two SaaS providers are alike.  You are better off to first think about which data to save to a secure location. If and when you want to move, your functional requirements will have changed anyway, and there are likely to be new SaaS providers as well.

For a deeper dive into cloud security issues and controls, have a look at the research that the Cloud Security Alliance is doing.

Leave a Reply