SaaS security checklist – three points to get you started

The security of your SaaS cloud solutions starts with the review of three major areas. Practically all companies are using SaaS providers in one way or another.

SaaS includes Services such as Trello for project management, Microsoft 365, and e.g. specialized solutions for marketing intelligence services. The sky is the limit. Most companies using are using hundreds of SaaS solutions.

Maturity match

The first thing to worry about is if the maturity of the provider matches your risk appetite. Are they good enough for your use case?

If you are working with a mission-critical SaaS solution, you want to make sure that the provider is mature. You can start finding out if that is the case is by looking at their certifications. An example could be the ISO 27000 series certification for IT risk management, or similar. Most mature cloud providers have dozens of certifications. On the other end of the spectrum, you may want to work with a provider that is not so mature, but that is delivering a very innovative solution of great business benefit to your company. That benefit, that competitive edge, may warrant a greater risk appetite.

So start with that maturity match first.

Security features

The next thing to look at is if the offering that you are considering has the right security features for you. The first set of security features to look at is identity and access management, and logging. Your first question here is: are the features we need a part of the offering? Office suites, such as Microsoft 365 and Google Workspace, have features such as data leakage prevention and real-time logging. The next question then becomes: are we procuring those features? The features that you require might be in a different package than you are considering. And enterprise features often have enterprise pricing.

Using security

Finally, an important thing to look at in considering SaaS security is your usage of the security features. It does not make much sense to allow all users access to everything or to have log files that nobody is looking at. More specifically, a product such as Microsoft Teams has over 1000 settings that have an impact on the security of the solution (I had a bunch of students work through this). It is very easy to not use the right futures.

Of course, there is much more to cloud and SaaS security than this. But the three main points to start with are the maturity of the provider, the set of security features they are offering, and your internal usage of those features.

Check out ‘Understanding CCSK‘ for more information on cloud security, or consider cloud security training.