I’ve recently been thinking about how much more effortless and affordable it has become for users to add a new cloud-based application to their tech stack than traditional on-premises software. Software-as-a-service (SaaS) providers have freed users from software and hardware management while taking care of the system’s security. But can we rest assured of a vendor’s approach to cybersecurity?
This article will compare the SaaS and on-premises software distribution approaches, discuss the main security concerns bothering SaaS users and explore possible ways of evading and handling these issues.
What Is SaaS?
SaaS is a cloud-based software distribution approach in which customers buy or access applications via the internet, mainly with a web browser. A provider manages hardware, middleware and the application software, ensuring the solution works as intended.
SaaS has become very popular among individuals and companies. Let’s find how SaaS works and compare it to the on-premises delivery to understand why it became widespread.
• Effortless scaling. SaaS users can scale up and down resources (storage space, computing power, functionality) to meet their changing needs. In the case of an on-premises system, one must buy additional hardware and modify the underlying infrastructure to enable it to handle an increased workload.
• Fast Implementation. Those who choose SaaS only need to sign up, choose a subscription, create user accounts for team members and wait until they log in to get started. It takes more time and effort to implement an on-premises solution.
• No initial setup and maintenance costs. Cloud-based solution customers don’t need to invest in IT infrastructure, buy software licenses for every user or hire staff to maintain and support the application.
• Easy upgrade and maintenance. The vendor ensures the solution’s stability, availability and security. It also updates it simultaneously for all users without negatively influencing their operations (there is usually one software version). On the contrary, updating on-premises software requires prior testing to determine whether a new version is compatible with end-user devices and whether those devices are secure.
The way SaaS solutions work and how end-users access them may pose security risks. Let’s discuss them in more detail.
App And Data Access Leak
Using cloud-based applications that aren’t a part of an organization’s infrastructure entails the risk of having individuals without permission use an application and access its data, thereby gaining access to both. The thing is, SaaS doesn’t necessarily provide role-based access and attribute-based access control.
So, my advice is to check whether an application has role-based and/or attribute-based access control. A solution may have access management rights that can be synchronized with your corporate access control system (if you have one). Otherwise, going with a custom on-premises solution that complies with your data security requirements is the best option.
A data breach — when data is exposed to unauthorized third parties — can threaten both on-premises and SaaS solutions. However, if you’re using a cloud-based SaaS application, the safety of your data depends on its provider. That’s why you must find out what policies and procedures the vendor follows to prevent and respond to cyberattacks and then recover from them.
It’s essential to ask the provider how its security teams detect data breaches and what actions they take to contain possible damage. For example, do they use system backups so that you can restore data? You’ll need to know how they can eliminate the threat and restore affected systems.
Access From Unsecured Networks
One of the benefits of SaaS products is that people can access them from anywhere if their device is connected to the internet: at home, at a coffee shop, in a hotel suite by the sea — you name it. But using a public Wi-Fi access point that doesn’t require authentication to enable a network connection can be risky. For example, hackers can intercept information (i.e., a man-in-the-middle attack) or distribute malware if file-sharing across a network is allowed.
Luckily, you can take several measures to safeguard data and user credentials:
• Add two-factor authentication.
• Introduce password creation rules.
• Use secure web gateways.
• Find a product that allows access from specified IP addresses only.
Doubts In A Solution’s Compliance With Data Privacy Regulations
In McKinsey’s 2019 survey about the security of SaaS offerings, respondents noted they don’t necessarily trust vendors’ claims regarding their products’ compliance with data privacy regulations.
On the bright side, regulations like GDPR, CCPA, LGPD, etc., ensure vendors’ jurisdiction. A company that states its compliance with a given law must not only declare but also work according to this law. So, if your data becomes compromised, you can prosecute a provider and request compensation.
Uncertainty Of Where Data Is Stored Geographically
SaaS customers must know where their data resides to comply with local data regulations and/or ensure that their data is stored and processed in a specific region or country. However, providers can’t guarantee data localization (residency).
What can users do in this situation? Companies that follow strict data usage standards usually have to prioritize either the system’s fault tolerance or data regulation compliance. For example, data may be stored in a data center outside of the customer’s preferred location so that they can continue using it if the primary data center goes down.
To sum up, you have a right to request where a provider stores your data to shortlist solutions. But you can’t compel the provider to store data in a given location.
The SaaS software delivery model allows companies to improve their operations with cutting-edge solutions while not maintaining or updating software and hardware. But on the other hand, the security of data stored in SaaS applications must not be overlooked. At this point, you have two ways to go: either to select carefully and use an off-the-shelf application as it is (with a given layer of security that works for your organization), or implement a solution in-house, choosing data protection standards you want to comply with.
The original post 'Top Security Concerns Of SaaS Users' is written by Max Yarchevsky, CEO and Founder at Boxmode and can be found on Forbes.com.