Software-as-a-service is the norm now. All organizations, even the most conservative ones, are using some form of SaaS – be it for storage, email, customer management, marketing, or even low-code. But security is always a concern with SaaS, so vendors need to take extra care in order to tick security boxes when evaluated by security-conscious customers.
We, as a SaaS security provider, are well-positioned to discuss best practices in the security aspects of SaaS and so we wanted to share our top five mandatory security features that every SaaS should offer its customers:
While it’s not a technical challenge to introduce 2FA/MFA to the login process, many SaaS providers don’t offer this option, thus risking the data that customers store (due to leaked credentials or brute-force attacks). MFA with a 6-digit code through a dedicated mobile app has become a straightforward and familiar process and it should be available and enforceable on all registered users by a given organization (if the SaaS user structure includes the organization entity).
SaaS customers, even in a work-from-home scenario, have a corporate network and would prefer to limit access to their accounts only from that network. That prevents many issues related to credential leaks and phishing and allows the organization to feel more secure when using the chosen SaaS. IP whitelists can be differentiated – one of dashboard access and one for API calls if the SaaS has an API (hint: it should).
Encryption of data with customer-managed keys is crucial for trust. Customers often don’t feel safe about a 3rd party having access to their data, so a SaaS provider should introduce encryption. Our end-to-end searchable encryption technology allows us to provide such guarantees for logs (in our SIEM and audit trail products) and any data (for our database). There is no way that we can break the encryption and read customers’ data. And of course, every connection should be using TLS 1.2 for secure communication and data should be encrypted at rest.
Even with 2FA and IP whitelists, weak passwords are still an issue. A malicious actor that has gained access to the internal infrastructure (including a malicious insider) can attempt to break weak passwords or reused passwords. An organization should be able to configure its password rules for any SaaS they use. Usually, password rules are defined per-organization, and having exceptions due to lack of support from the SaaS provider is a security issue. Using cloud IAM providers can be seen as a workaround for some authentication issues, but in most cases, it only masks the problem rather than fixing it.
More and more organizations have SIEMs or other audit log collectors that they use for security and compliance needs. A cloud application that doesn’t provide any log information to be programmatically consumed (preferably via API) limits the visibility. Proxy-based CASB solutions are workarounds but with the work-from-home scenario, it’s hard to enforce a company-wide proxy in order to be able to capture access logs. Therefore each SaaS should provide its audit logs and access logs for collection by SIEM-like solutions.
If you are a SaaS provider and need help to quickly implement some of those features, we have you covered. SentinelTrails allows you to easily provide proper audit logs, and SentinelDB can be used to store and search customer-encrypted data.
Large and security-conscious organizations can decide to drop a SaaS provider because it lacks one or more important security features, which put additional pressure on SaaS providers to work on improving their security. The list above is just the beginning, but it captures the general philosophy – your customers should feel that their data is well protected.
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.