SaaS - good practices in the area of data security. Guide

SaaS – cloud services as the basis of modern business

Changes in the world driven by rapid technological development increasingly force the digital transformation of the global business environment. Currently, digitization of operations has become not so much a trend, but rather a necessity, allowing companies to maintain competitiveness in the market in the long term. In this context, the growing popularity of SaaS (Software as a Service) solutions, which thanks to their flexibility and scalability have become the basis of modern business operations, should not be surprising.

According to the definition of the Gartner agency, SaaS is a model of services based on cloud computing, which allows recipients remote access to data tools from any device with the appropriate software. Importantly, recipients have very limited control over these applications – their administration and supervision of infrastructure including networks, servers or operating systems are handled by external entities.

Currently, almost all basic tools used at work are based on the SaaS model: email (e.g. Outlook, Gmail), digital hard drives (Dropbox, Google Drive), messaging apps (Slack, Teams), project management platforms (Monday, Trello) and many others.

The ubiquity of such tools is also confirmed by statistics. According to the BetterCloud report, modern companies use an average of eighty SaaS applications, which constitutes 70% of all software used in a given organization. According to forecasts, by 2025 this percentage will even increase to 85%. At the same time, over the past seven years, the entire SaaS industry has grown by 500% and is now worth nearly 200 billion dollars. The problem is that along with cloud services, other digital threats associated with them are also developing.

SaaS – the most popular threats related to cybersecurity

According to the Annual SaaS Security Survey Report, over the past two years 55% of surveyed organizations using SaaS tools have experienced data breach incidents. At the same time, 58% of entities estimate that their current security solutions cover only half or fewer applications. 7% of companies do not have any threat monitoring at all.

And these are disturbing statistics. Due to the nature of tools in the SaaS model, the responsibility for their security rests on both involved parties - mainly on the service providers, but to some extent also on the customers. Meanwhile, for the latter, this is still a serious challenge.

– The transformation to the cloud brings not only measurable business benefits, but also risks. As many as 73% of [Polish] small and medium-sized enterprises declare that security is a key challenge for them during implementation and daily use of this solution - points out Beniamin Szczepankiewicz, an analyst at the ESET antivirus laboratory.

In his opinion, the first step towards safe use of services in the SaaS model is therefore awareness of the existence of specific threats associated with these technologies and understanding their nature. The most common problems include:

• Improper security configurations and lack of regular patches, which expose cloud systems to attacks using malicious software. According to Open Web Application Security Project data, lack of proper security configurations is the most common problem in SaaS tools.
• Cross-site scripting (XSS). These are attacks that involve embedding malicious code in the content of a page, which, when displayed to other users, can lead them to perform unwanted actions and, as a result, lead to data leakage.
• Internal threats from users themselves. Negligence or malice on the part of employees of a given organization can accidentally or deliberately lead to the disclosure of internal company information. Employees themselves can also fall victim to phishing, a fraud method in which the criminal impersonates another person or institution in order to extract confidential information, such as passwords.
• Inadequate monitoring of cloud traffic, which significantly delays or completely prevents the detection of unauthorized or malicious activities in the system.
• Too much dispersion of systems, platforms and providers, which prevents the implementation of a uniform security policy and hinders communication between clients and platform administrators.
• Too much complexity of systems tailored to specific customer needs. Excessive customization increases the likelihood of errors and unexpected security gaps.   
• Lack of compliance with GDPR, HIPAA or PCI-DSS regulations, which can expose users and providers to legal and financial penalties. These regulations most often include the above-mentioned requirements for data protection, conducting audits and implementing security tests.
• Excessive trust in the cloud provider, who, contrary to appearances, does not have to be the only entity responsible for security. It is also possible to operate in a shared responsibility model, and investments in this area can prove to be extremely beneficial in the long run.

So how can we avoid the above problems or minimize their effects?

SaaS - good practices in the field of cybersecurity

Minimizing cyber threats associated with tools operating in the SaaS model starts with the absolute basics - proper authentication of access to the platform.

The standard should be so-called multi-factor authentication (MFA), which adds another layer of security to the usual password, for example in the form of login verification via another device linked to the account. In this way, MFA at least partially eliminates the problem of password theft and effectively delays attempts to obtain sensitive information from the system.

At the same time, it should also be borne in mind that no environment is fully resistant to breaches. Therefore, a very important point of protection against threats should be data encryption - both at the stage of their storage and transmission. Importantly, before choosing a software provider, you should make sure to what extent it encrypts the stored data and what type of authentication it supports. According to the McAffee report, the practices described above are not necessarily an industry standard.

The principle of limited trust should apply not only to suppliers, but also to the members of the organization itself. The level of access to individual information should be strictly linked to the role performed, and traffic within the platform - closely monitored in search of unplanned or suspicious activities.

In addition to a clear data storage policy, data deletion rules are also important. SaaS providers should clearly declare their practices in this area and include them in the service agreement. If justified, customer data should be programmatically deleted from servers after a certain period of time.

At the same time, remember about regular security configurations and system updates and about regularly creating data backups. After all, random events can never be completely ruled out, for example in the form of server room destruction or massive system failure. In case of such situations, it is also worth preparing a checklist of security procedures to avoid panic, chaos and downtime in the organization's work.

- Security and risk management is not a one-time action that can only take place at the infrastructure or application implementation level - says Bartłomiej Anszperger, Solution Engineering Manager F5 in Poland.

- Comprehensive and consistent protection requires rather many coordinated efforts undertaken over time and covering various IT and business roles. Dealing with security at the application development stage saves time that would have to be spent on later modernizations, not to mention mitigating the effects when an attack is successful - he summarizes.