How to Use SaaS Providers Securely

Corporate credit cards fund millions of SaaS (Software as a Service) accounts, many outside the purview of IT and their security policies. But SaaS vendors will cooperate with your security policies when approached properly.

After entering the lexicon as a little understood geek acronym a few years ago, SaaS is fast gaining popularity as a cost-effective way for companies to support their computing infrastructure.

In the software as a service model, companies outsource many of their IT functions to third-party providers who then charge for use on an “as a service” basis via the cloud. The lure is obvious: SaaS apps don’t require long-term software licenses, and deployment times are short. What’s more, a company doesn’t need to devote extra internal IT computing resources other than an Internet connection.

But as with nearly every big tech transition, the move to the cloud has been accompanied by concerns about the regulatory, data protection, and security aspects of entrusting data to SaaS providers. With corporate department credit cards now funding SaaS accounts, many of them outside of IT’s direct oversight, that raises the obvious bottom line question: Do you have full confidence in the provider’s security capabilities? From the perspective of a company’s Chief Security Officer, the lack of visibility into who’s accessing your data and applications is reason enough for worry, especially if the providers fail to comply with security best practices and compliance standards.

This need not turn into a reason for losing sleep. In fact, many SaaS providers are quite transparent about their security capabilities and incorporate required industry certifications, such as SSAE 16 or FISMA. But any move to SaaS ought to include a vetting of the SaaS vendor’s overall policies to ensure that they follow best practices.

Due diligence:

Find out how the provider protects the information being moved in a SaaS application. Do they satisfy customer security and regulatory requirements and are they up to the task of managing credit card processing and credit card account storage? The due diligence process ought to review the protections offered by the SaaS provider as it’s likely to vary between companies. You can use an external Qualified Security Assessor to take on the task.

Network and application security:

Any good SaaS application provider is going to host their infrastructure within data centers that follow best physical security practices. They ought to use several control layers to reduce the potential damage in the event a single layer suffers a security breach. Make sure that the network environment hosting your applications and data is protected by a series of firewalls and monitoring tools along with two-factor authentication so only authorized personnel can gain remote access. A good SaaS provider will incorporate host-based intrusion detection on local hosts to monitor activity and report on potentially malicious or unusual activity. When it comes to application security, make sure that your provider uses HTTPS encryption for inbound and outbound data as well as an application firewall to spot security vulnerabilities.

Location, location, location

The advantage of using SaaS means that you don’t need to host the data on premise. But you’ll still want to know its location as data and virtual machines can zip around the globe due to load balancing needs or other reasons. SaaS providers should be willing to enter into contractual obligations requiring specific residency requirements. Depending on industry regulations, you might need to restrict data storage to a certain area and thus keep data in a specified data center.

Charles Cooper is an independent writer who has covered technology and business for the past three decades. All opinions expressed are his own.  AT&T has sponsored this blog post.

Charles Cooper Writer sponsored post About Charles