In a world that is becoming increasingly knowledge-based, products are becoming highly digitized. A recent study of IT professionals reported that over 30% of their workplace environment is virtualized. We’ve even created an acronym for these kinds of services: software as a service (SAAS). Usually, a company provides subscription based access to subscribers allowing these subscribers to use software in the cloud. The software itself is hosted by a third party, SAAS service provider, which is responsible for maintaining software or hardware associated with the application. Overall, there are three main players in the SAAS network: the service provider, the software developer and end-customers using the software. Collaboration among these parties often exposes SAAS networks to greater risks.
For small business owners of SAAS companies, compliance with international safety standards is often manifested in three basic tasks i.e. identifying users and granting access privileges to those users; identifying sensitive data assessing where the data is stored and how it is encrypted; and documenting this information in an easy-to-understand format for auditors or SAAS regulating authorities. These steps may look very simple, but theoretically SAAS network management is more complicated than simple networking. For instance, it may be difficult for customer to locate where its data resides in the SAAS network. If SAAS provider doesn’t have a well-defined network hierarchy, it may become difficult for the provider to discern the customer data and secure it from outside threats. To deal with these issues, following are some important tips for SAAS company managers to prioritize:
Taking Responsibility of the Data
There are various regulations for SAAS companies, but PCI DSS is one of the most significant as it pertains to protecting the client’s cardholder data. Almost every SAAS company irrespective of the size must focus on clause 12.8 of PCI DSS, which states that SAAS company or hosting provider is fully responsible for protecting client’s cardholder data. It also means that the company is also responsible for any unintentional security laps by the client who access SAAS portal on the cloud.
Accordingly, each client of the SAAS provider must have its own cardholder data environment. In this regard, it is not uncommon for SAAS providers to offer cardholder data from different clients on the same server. Basically, owners should ensure that there are prevention measures in place preventing cardholder data of one client mixing with another client. For budget constraint small businesses, it is a challenge to provide such controls where a server may contain data of multiple clients. Therefore, experts often recommend deploying access management systems in conjunction with other controls ensuring an extra layer of security to the client’s identity.
As discussed, security of data is the duty of SAAS provider, therefore SAAS managers should always work with their clients ensuring that each client understands what kind of software is best for them. Working with clients is important because any breach in the security setup will not only jeopardize the data but it is also likely to impact user authentication on the provider server. Hence, a breach may affect data, passwords and IDs. One way to ensure proper safeguards is to run regular conferences or hold meetings with clients sharing the knowledge how both parties can work together to offer better security to the customers using a particular software. Another preferred method is to provide direct authentication to service provider’s directory services, using Active Directory or LDAP.
Flexible Service Level Agreement
SAAS networking specialist should also understand the importance of proper logging and audit trails, which are mandatory as per the requirements of PCI. These trials are always needed by the investigation authorities, and SAAS providers are responsible for providing forensic investigation if a breach occurs. SAAS companies should understand that their clients should be allowed access to the security logs as investigators ask for the record. As such, make sure that the service level agreement provides adequate access to clients without infringing on the provider safety. Keeping SLA, service level agreements flexible will ensure that both the provider and the client can work as a team in resolving the issue and tackling ongoing investigation.
Beside PCI-specific issue, network administrators should also be wary of any breaches from web security perspective. As SAAS provider and its client are connected through a web, it is also important that every administrator is also aware of legal issues arising from data infringement on servers at different jurisdictions around the world.
Remember, IT security control in a SAAS network is only partially controlled by the provider increasing security risks. Therefore, SAAS managers should realize that they must have internal controls in place to tackle security issues arising from a third-party. In a nutshell, SAAS networks must be secure enough to function as a stand-alone system able to prevent itself from outside breaches and work effectively during a security breach. | Images Via Shutterstock