Peter HJ van Eijk

Simple And Recommended SaaS Security Tips

SaaS Security Tips

Most people and companies are now using a significant amount of SaaS solutions. Companies are running sales support software, they are file sharing, collaborating and using e-mail programs and a lot more in the cloud. However, that usage also leads to concerns about the security of those solutions. How safe are they? What risks do we run?

Here are a couple of tips to increase the security of SaaS applications.

administrator

By far, the biggest risks to using SaaS are leaking data and losing control. The top way to control these risks is simple: watch your passwords, and know how to survive a cloud provider exit. If you look at famous data breaches in the past year, of which the iCloud celebrity hack, (However, still may be dangers) is probably the most well-known, you will see that most breaches were caused by weak passwords and weak password reminders.

Improving the protection that passwords offer is often fairly easy. Security experts recommend using so-called two-factor (or two-step) authentication. This means that you use more than one way to prove your identity at log in. Examples include security tokens, dongles, and fingerprint scanners.

This used to be inconvenient for the user, but in the past few years a number of usable scenarios have been developed. It does not have to be a daily hassle, and you don’t have to fear being locked out.

For example, you can configure your Dropbox account to ask you for an SMS confirmation when you access it on a computer you have not used before. Check it out, they have thought this out well, and there is absolutely no excuse not to use it. You will find it under Account -> Settings -> Security.

Gmail too allows you set up security in this way and once set up, it will alert you to suspicious activity on your account. Like Dropbox, the easiest option is to use your mobile phone, but they also support other methods so there is no need to be concerned if you lose your phone. Other SaaS services that you use might have some of these features as well.

Go explore…

The Administrator

admin-issues

If you are the administrator of a cloud service this is even more important because you will be the prime target of any hacker.  As a cloud service administrator there’s a few other basic things to do. If feasible you should first create a secondary administrator account for day to day work. If that account gets compromised, you will have the first account to fall back on.

Another basic administrator task is to apply hygiene to your user list. Regularly review if users are still active in your company or project, and that they don’t have more rights than they need to have. (In larger organizations this is better done by identity federation, so you don’t have to do this on a service by service basis.) As an administrator, you don’t want former employees or contractors to still have access to your systems.

Access Level

access-level-full

I ran into a simple example the other day on a Google Docs document. It was not mine, but I had full editing access. The person who shared it with me did not need to give me this level of access. It would have been much better just to give me Comment or Review access.

Losing the provider or the data that is stored on the service is the other big risk. And preparing for losing all your data can also protect you against losing some of your data. There are so many reasons why a provider may stop servicing you. They could have any number of technological hiccups, they could suffer a disaster, they could go out of business or they could go in a direction that you don’t like. In all cases it makes sense to have an exit plan or a plan B, such as a plan to move to a different provider.

Backup Is Your Friend

If you don’t have an exit plan, you are basically saying that you accept the risk of losing the data that is with that provider, and the capability to use that data. This could be a valid decision. I am not that interested in my Doodle archive for example, so making a backup of that is not a big concern. At its most basic, an exit plan describes how your most valuable data is stored in a secondary place. For example, my Gmail mail archive is also stored on my laptop as it is automatically downloaded by Outlook, my mail program. I have not spent too much time thinking about changing my mail provider. However,  because my mail and contacts are safely stored elsewhere, I am confident that a new provider will help me to do the migration and that the process will be fairly simple.

For my customer management system I make regular copies of the entire customer database and contact details. Again, moving to a different provider will be a hassle, but not impossible. If your business really depends on it, you may want to have a cloud system on hot standby. However, most of the time, this is not very easy with SaaS because no two SaaS providers are alike.  You are better off to first think about which data to save to a secure location. If and when you want to move, your functional requirements will have changed anyway, and there are likely to be new SaaS providers at that time as well.

For a deeper dive into cloud security issues and controls, have a look at the research that the Cloud Security Alliance is doing.

(Image Source: Shutterstock)

By Peter HJ van Eijk

Peter HJ van Eijk

Peter HJ van Eijk develops and delivers cloud computing training programs. He has delivered these programs dozens of times in the US, Europe, Middle-East and Asia to a wide variety of participants.

He has worked for Deloitte Consulting, IT supplier EDS, internet providers, and at the University of Twente, where he received his PhD in 1988. He is a board member of the Dutch Cloud Security Alliance Chapter.

Peter is a certified trainer for CSA Certificate of Cloud Security Knowledge (CCSK), CompTIA Cloud Essentials, Virtualization Essentials and Cloud Technology Associate. He wrote these courses or contributed to them.

Principles of an Effective Cybersecurity Strategy

Principles of an Effective Cybersecurity Strategy

Effective Cybersecurity Strategy A number of trends contribute to today’s reality in which businesses can no longer treat cybersecurity as an afterthought. These include a rapid increase in the number of internet connected devices, an ...
Tesla is Worth More Than Ford or GM. Is this the Automakers iPhone Moment?

Tesla is Worth More Than Ford or GM. Is this the Automakers iPhone Moment?

The Automakers iPhone Moment Remember Blackberry? How about Nokia or Motorola? Vaguely you say. Will we one day state the same about Ford, GM, and the others? Seems hard to believe but the parallels have ...
Cloudification - Budgets are Shifting Toward a “Cloud-first” and “Cloud-only” Approach

Cloudification – Budgets are Shifting Toward a “Cloud-first” and “Cloud-only” Approach

Cloudification and the Budget Shift Gartner has recently predicted that by 2020, a corporate "no-cloud" policy will be as rare as a "no-internet" policy is today. CIOs will increasingly leverage a multitude of cloud computing ...
Part 2: Strategies for Securing Mobile Devices in a Cloud-based World

Part 2: Strategies for Securing Mobile Devices in a Cloud-based World

Part 2: Strategies for Securing Mobile Devices With workplace mobility now a way of life and companies investing in cloud-based apps more than ever, security is moving beyond the four walls. Just a few years ...
OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack private cloud revenues to outpace its public cloud revenues in 2018

OpenStack Private Cloud Revenues Growth of OpenStack private cloud will overtake public cloud revenue for hosting providers sooner than previously projected. OpenStack has witnessed huge rates of adoption over the past years and become the ...
The Lighter Side Of The Cloud - The Backup Reminder
The Lighter Side Of The Cloud - Bottlenecking
The Lighter Side Of The Cloud - Big Broadband
The Lighter Side Of The Cloud - The Apple Watch
The Lighter Side Of The Cloud - iPatch
The Ligther Side Of The Cloud - Speed Browsing
The Lighter Side Of The Cloud - Car Troubles
The Lighter Side Of The Cloud - Without A Signal
The Lighter Side Of The Cloud - Hydro Cancellation

CLOUDBUZZ NEWS

Facebook suspends 200 apps over data misuse investigation

Facebook suspends 200 apps over data misuse investigation

(Reuters) - Facebook Inc has so far suspended around 200 apps in the first stage of its review into apps that had access to large quantities of user data, in a response to a scandal ...
Artificial Intelligence to Add US$182 Billion to UAE Economy by 2035, Accenture Research Shows

Artificial Intelligence to Add US$182 Billion to UAE Economy by 2035, Accenture Research Shows

Financial services, healthcare, and transport and storage industries likely to see the biggest gains DUBAI, United Arab Emirates; May 21, 2018 – Artificial intelligence (AI) has the potential to boost economic growth in the United ...
Facebook Joins FIDO Alliance Board of Directors

Facebook Joins FIDO Alliance Board of Directors

Aligns with other leading global technology, financial services and e-commerce companies in effort to reduce world’s reliance on passwords MOUNTAIN VIEW, Calif., May 15, 2018 (GLOBE NEWSWIRE) -- The FIDO Alliance announced today that Facebook has been appointed ...