Security Considerations for Software as a Service
With Software as a Service (SaaS) solutions, the security options that you can control may be only at the application level. In a Public Cloud scenario, this requires a high degree of trust in the cloud vendor because they have complete control of the instructure and platform layers. As well as their reputation and track record, you should assess the processes they have in place to provide security. When performing due diligence you should also assess whether they can provide network security in addition to application and data security.
While network security is not typically considered a part of SaaS, there is no reason it cannot be implemented in addition to application specific controls included in the SaaS solution. You should be absolutely clear about where security responsibilities lie. You should use SLAs and contracts to define exactly what security responsibilities the cloud vendor has and what responsibilities the customer has.
Another factor with Public Cloud-based SaaS solutions is app stores. The cloud vendor might only offer their own applications in their app store, but increasingly they act as shop fronts for many SaaS application vendors. It is possible that malware is maliciously posted into an app store and indeed in the cell phone arena, the Google Android app store had exactly this problem in the past. What processes does the cloud vendor have in place to test the apps in the app store? Do you trust the app vendor as well as the cloud vendor?
If you are deploying your own SaaS software in the Public Cloud you should assume that it will be scanned by hackers looking for vulnerabilities. Threats such as SQL injection are well known and straightforward to exploit, but, if security guidelines are followed when developing applications, they are also straightforward to prevent.
In the Private Cloud, the threats are different, but not removed. With the absence of app stores, there is less threat of malicious malware from outside the company; however, poorly written apps can be just as damaging as malicious code. The private network should be treated with the same levels of scrutiny as the Internet and as well as well written, well-tested and secure Private Cloud SaaS solutions, you should have proven, well-tested network and data security.
Storage and Data
Please review the Cloud Storage section on the IaaS page.
Although SaaS is not concerned directly with storage, you should ensure that data is encrypted as it travels across the Internet and if the data is stored at a Public Cloud vendor facility you should investigate their storage encryption mechanisms and their overall storage architecture. Specialist storage vendors typically store all of the data from all customers together and therefore the risks of data being accessed by another customer from the same cloud vendor can be high. To avoid this risk, you should encrypt all data stored in the public cloud and store sensitive data on private systems.
Client Security
As well as the SaaS software itself, you should also consider browser vulnerabilities and compatibility. Browser updates should be implemented quickly, but should also be tested to ensure they are fully functional with the SaaS software. Processes should be put in place to test, evaluate, and deploy updates for critical browser updates.
ARCHITECURAL DESIGN EXAMPLE:
At Contoso, they are developing in-house SaaS solutions. They have decided to treat all networks with the same level of security as the Internet and are sending no sensitive data over any network without robust encryption. The Private Cloud SaaS solutions allow a move into cloud-based solutions, but with the data kept in-house on Contoso's own servers, they have avoided data ownership uncertainties. Contoso is investigating several public cloud SaaS solutions as the payment processing system has substantial spikes in usage. This has required additional resources which remain unused for the majority of the time and makes the pay-per-use model of many public cloud offerings very appealing. These solutions will integrate with the in-house SaaS systems and result in cost savings, but without moving data to the public cloud. In the long-term as trust levels increase, Contoso may look at moving more systems to the public cloud.
REFERENCES:
**SaaS and Security: Is Your Data Safe?
**http://www.esecurityplanet.com/trends/article.php/3743216/SaaS-and-Security-Is-Your-Data-Safe.htm
Five Problems with SaaS Security
http://www.networkworld.com/news/2010/092710-software-as-service-security.html
Best Security Questions to ask about SaaS
http://www.networkworld.com/news/2009/031209-saas-security.html
ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]