6 Steps to SaaS Security

Steve Murphy
23 Jan 202309:41

Summary

TLDRIn this video, Steve Murphy discusses the complexities of SaaS security, emphasizing that while SaaS providers are responsible for security, organizations must also take precautions. He outlines six best practices for SaaS security, including access management, backup strategies, data retention, regulatory compliance, misconfiguration prevention, and data breach readiness. Additionally, he touches on the role of cloud access security brokers (CASBs) in SaaS security strategies, offering practical advice for securing SaaS applications.

Takeaways

  • 🌐 Software as a Service (SaaS) is becoming the dominant strategy for software providers, offering advantages like subscription-based licensing, simplified deployment, and automatic updates.
  • 🔒 While SaaS providers are responsible for securing the application, customers must also conduct due diligence to ensure the provider's security measures meet their requirements.
  • 👥 Access management is crucial in SaaS applications, requiring role-based access controls and granular permissions to segregate sensitive information and user roles effectively.
  • 🔄 Backup and business continuity are essential, as SaaS platforms may experience outages. Organizations should maintain their own data backups and understand the platform's redundancy and restoration policies.
  • 🗂 Data retention policies must be clear, especially for time-sensitive data. SaaS platforms may require data removal or export to the customer's retention facility, depending on the service agreement.
  • 🌍 Regulatory compliance and data sovereignty are increasingly important, with some countries requiring data to be stored within their borders. Organizations must ensure their SaaS provider complies with relevant regulations.
  • 🔧 Misconfigurations can be a significant risk, especially with multiple SaaS platforms. IT teams must be vigilant in configuring security settings accurately and reviewing them periodically.
  • 🛡️ Data breaches are a reality for SaaS systems, which can be significant targets for attackers. Ensuring data encryption and strong security measures is vital, along with understanding breach notification policies.
  • 🌐 Cloud Access Security Brokers (CASBs) can play a role in SaaS security by controlling data movement in cloud environments and identifying unauthorized SaaS usage, though their adoption is currently limited.
  • 🤝 Engaging with experts and staying informed on best practices is key to securing SaaS applications, as the landscape is continually evolving and new threats emerge.

Q & A

  • What is the primary advantage of Software as a Service (SaaS) for application providers?

    -The primary advantage of SaaS for application providers is the subscription-based licensing model, which creates a consistent revenue stream and a stable cost structure for the customers.

  • Why is it important for customers to conduct due diligence on their SaaS provider's security?

    -It's important for customers to conduct due diligence on their SaaS provider's security to ensure that the provider's security posture and procedures are sufficient and at least match the customer's requirements, as relying on someone else for data security does not absolve the customer from ensuring data safety.

  • What are the six security best practices for SaaS applications mentioned in the script?

    -The six security best practices for SaaS applications are: 1) Access Management, 2) Backup and Business Continuity, 3) Retention, 4) Regulatory Compliance, 5) Misconfigurations, and 6) Data Breaches.

  • Why is role-based access control important within a SaaS platform?

    -Role-based access control is important within a SaaS platform to ensure that only those allowed to interact with sensitive data have access to it, thereby preventing unauthorized access and maintaining data security.

  • What should organizations consider regarding backup and business continuity when using a SaaS platform?

    -Organizations should consider understanding the policies and capabilities for redundancy and restoration, as well as recovery behind the SaaS platform, and maintain their own backups of data to ensure business continuity in case of a platform failure.

  • Why is data retention a concern when storing time-sensitive data in a SaaS platform?

    -Data retention is a concern because most platforms require data to be removed or exported after a certain period, and data in SaaS platforms does not survive perpetually unless negotiated with the provider.

  • What is the significance of regulatory compliance in the context of using a SaaS platform?

    -Regulatory compliance is significant as it ensures that the data stored in the SaaS platform adheres to legal and regulatory requirements, such as data sovereignty, which can affect data storage strategies and compliance status.

  • How can misconfigurations pose a risk in the use of multiple SaaS platforms?

    -Misconfigurations can pose a risk by providing unauthorized access or failing to suspend access for separated employees, as each SaaS platform has its own security settings that may be prone to mismanagement due to overconfidence or lack of expertise.

  • What measures should be taken to protect against data breaches in a SaaS environment?

    -To protect against data breaches, ensure that SaaS data is encrypted, the platform has strong security measures, and understand the notification policies and provider liability in case of a breach.

  • What is the role of a Cloud Access Security Broker (CASB) in a SaaS security strategy?

    -A CASB provides a security approach for all cloud workflows, controlling data movement through cloud environments, identifying Shadow IT, and potentially playing a role in data governance for SaaS. However, their adoption is currently limited, and immediate security strategies for existing SaaS applications are necessary.

  • What is the speaker's suggestion for viewers interested in securing their organization further?

    -The speaker suggests that viewers interested in securing their organization further should reach out to him for more information, with his contact information provided in the video description.

Outlines

00:00

🔒 Understanding SaaS Security Responsibilities

The first paragraph introduces the growing trend of Software as a Service (SaaS) and its advantages, such as subscription-based licensing, simplified deployment, and automatic updates. It emphasizes that while SaaS providers secure the application, customers must also ensure the security of their data. The speaker, Steve Murphy, outlines six security best practices for SaaS applications, starting with access management and the importance of role-based controls. He also mentions the need for customers to conduct due diligence on their SaaS providers to ensure their security measures meet the required standards.

05:01

📚 Key Considerations for SaaS Security and Data Compliance

The second paragraph delves into the complexities of data retention, regulatory compliance, and the importance of data sovereignty, especially within the European Union. It discusses the challenges of configuring numerous SaaS platforms correctly and the risk of mismanagement. The paragraph also addresses the potential for data breaches in SaaS systems and the necessity of encryption and strong security measures. It concludes by discussing the role of Cloud Access Security Brokers (CASBs) in SaaS security strategies, noting their current limited adoption and suggesting that immediate security strategies are needed for existing SaaS applications.

Mindmap

Keywords

💡SaaS

SaaS stands for Software as a Service, which is a model of software delivery where the service provider hosts the application and makes it available over the internet. In the video, SaaS is highlighted as the dominant strategy for software providers, emphasizing the convenience and advantages it brings to organizations, such as subscription-based licensing and simplified deployment.

💡Security

Security in the context of the video refers to the protection of data and systems within SaaS applications. It is a central theme as the video discusses the shared responsibility of security between the SaaS provider and the customer. The script mentions the importance of due diligence on the SaaS provider's security posture and the customer's role in ensuring data safety.

💡Access Management

Access Management is a security best practice discussed in the video, which involves controlling who can access sensitive data within a SaaS platform. The script explains the need for role-based access controls and the importance of granular permissions to segregate information appropriately among different roles within an organization.

💡Backup and Business Continuity

This concept refers to the strategies and plans in place to ensure the availability of data and services in the event of a SaaS platform failure. The video script mentions the importance of understanding the SaaS provider's backup policies and maintaining backups of one's own data to ensure business continuity.

💡Retention

Retention in the video script pertains to how long data is kept within a SaaS platform. It is important for time-sensitive data, and the script notes that most platforms require data to be removed or exported after a certain period. The concept is tied to compliance with data retention policies and legal requirements.

💡Regulatory Compliance

Regulatory Compliance is the adherence to laws and regulations governing data storage and usage, especially in the context of data sovereignty. The video emphasizes the importance of understanding and maintaining compliance when using a SaaS provider, as it can affect where data is stored and how it is managed.

💡Misconfigurations

Misconfigurations refer to errors in setting up the security and access controls within SaaS platforms. The video script warns of the high risk of misconfiguration due to the variety of SaaS platforms used and the potential lack of expertise in all of them, highlighting the need for careful configuration and periodic reviews.

💡Data Breaches

Data breaches are incidents where unauthorized individuals gain access to sensitive data. The video discusses the risk of SaaS platforms being targeted for attacks and the importance of encrypting data and ensuring the SaaS provider has strong security measures in place. It also touches on understanding breach notification policies and provider liability.

💡Cloud Access Security Broker (CASB)

A CASB is a security tool that helps control and monitor data traffic in cloud services, including SaaS applications. The video script explores the role of CASBs in a SaaS security strategy, noting their utility in controlling data flow and identifying unauthorized cloud services, although it also points out that CASB adoption is not yet widespread.

💡Data Sovereignty

Data Sovereignty is the concept that data created within a specific country or jurisdiction should remain within that country or jurisdiction. The video script discusses this as a hot topic in regulatory compliance, especially in the context of the EU, where legal requirements may dictate that data is stored within the member state where it was created.

💡Shadow IT

Shadow IT refers to the use of unauthorized or unregulated technology within an organization, often without the knowledge of the IT department. The video script mentions that advanced CASBs can help identify Shadow IT, including unsanctioned SaaS applications, as part of a broader security strategy.

Highlights

SaaS services are increasingly popular for their convenience and the shift of software vendors to cloud-based applications.

Security in SaaS is a shared responsibility, not solely the provider's, and requires a clear understanding of responsibilities.

SaaS offers advantages like subscription-based licensing, simplified deployment, and automatic updates.

Customers must conduct due diligence on SaaS providers to ensure their security measures meet or exceed requirements.

Six security best practices for SaaS applications are outlined for better data protection.

Access management is crucial, with a need for role-based controls and granular permissions within SaaS platforms.

Backup and business continuity plans are essential, as SaaS platforms may not provide access to their backups.

Data retention policies must be clear, as SaaS platforms may not retain data indefinitely.

Regulatory compliance and data sovereignty are significant, especially with data location requirements.

Misconfigurations are a common risk with multiple SaaS platforms, requiring careful management and review.

Data breaches are a reality, and SaaS platforms must have strong security measures and encryption.

Understanding notification policies and provider liability in the event of a breach is important.

Most SaaS platforms have robust security capabilities due to scale and brand protection needs.

Cloud Access Security Brokers (CASBs) can play a role in SaaS security, especially for data governance.

CASBs are more useful for controlling data in cloud environments and identifying unauthorized cloud services.

The adoption of CASBs is currently low, requiring immediate security strategies for existing SaaS applications.

The speaker offers to help explore more ways to secure organizations and provides contact information.

A call to action for likes, subscriptions, and future video engagement is presented.

Transcripts

play00:00

SAS services are great convenience to

play00:03

most organizations more and more

play00:05

software vendors are putting their

play00:07

applications in the cloud and converting

play00:09

them into SAS services

play00:11

at first glance this might seem as

play00:13

though security is the responsibility of

play00:15

the SAS provider however SAS is more

play00:18

complicated than that so let's unpack

play00:20

what you need to know and where you're

play00:23

responsible for SAS security

play00:25

we're going to have a bonus section at

play00:26

the end to discuss one of the frequent

play00:28

questions we get from clients around SAS

play00:30

security hi I'm Steve Murphy I'm a vice

play00:34

president at ARG and while I work for

play00:36

ARG this video is my own and does not

play00:38

represent the views or opinions of my

play00:39

employer

play00:40

software as a service abbreviated saas

play00:43

and pronounced SAS is now the dominant

play00:46

go to market strategy for software

play00:49

providers today there are lots of

play00:51

advantages for being a SAS application

play00:53

which is delivered over the public

play00:55

internet and usually access via

play00:57

traditional web browser

play00:58

some of those advantages include

play01:00

subscription-based licensing where users

play01:03

buy a certain number of licenses for

play01:05

their users

play01:07

um this is attractive because it creates

play01:09

a consistent Revenue stream to the

play01:11

application provider and a stable cost

play01:13

structure for the customer

play01:16

deployment's much simpler for the

play01:18

customer and upgrades and patches are

play01:20

deployed directly by the application

play01:21

developer to the cloud platform so

play01:24

everyone's always on the same version

play01:26

from a customer perspective the your use

play01:29

of the application and the data that you

play01:31

load into it is generally secured by the

play01:33

SAS provider you want to conduct a

play01:36

significant uh some significant due

play01:38

diligence on your SAS provider to ensure

play01:40

their security posture and procedures

play01:42

are sufficient and at least match your

play01:44

requirements if not exceeding them so

play01:48

having someone else responsible for the

play01:50

security of your data does not absolve

play01:53

you or your organization from doing its

play01:55

part to ensure your data is kept safe

play01:58

let's break down the six security best

play02:01

practices for SAS applications

play02:03

first is access management if you're

play02:06

putting sensitive information in a SAS

play02:08

platform only those allowed to interact

play02:10

with that sensitive data should have

play02:12

access to the platform makes sense right

play02:15

well segregating employees based upon

play02:17

the applications they need to access is

play02:20

a fairly standard process but within the

play02:22

SAS application itself segregating

play02:24

information can become more difficult

play02:26

one of the challenges with SAS is

play02:29

establishing a finite access control it

play02:32

might be difficult for example to keep

play02:33

your accounting staff from accessing

play02:36

Financial projections if both accounting

play02:38

and finance are using the same financial

play02:40

management system

play02:42

make sure your SAS platform has

play02:45

role-based access controls and you

play02:48

understand how granular those controls

play02:50

are we're looking for more than just the

play02:53

admin user and information access type

play02:55

of roles we'd like to see workflow

play02:58

segregations if that's important to your

play03:00

organization and the system under

play03:02

consideration

play03:03

next is backup and business continuity

play03:06

what happens if your SAS platform fails

play03:09

the notable big name SAS platforms have

play03:12

had their outages typically these are

play03:14

short-lived and customers just have to

play03:17

keep making do and making it keeping

play03:20

alternate records until the service is

play03:21

restored but many organizations are

play03:24

using smaller SAS platforms for

play03:26

specialized services

play03:28

do these smaller platforms have the same

play03:30

resources to address an outage as a

play03:32

Microsoft or salesforce.com

play03:34

when using a SAS platform the platform

play03:38

may make a backup of your data but you

play03:41

may not have access to that backup most

play03:44

SAS platforms require you to maintain

play03:46

backups of your own data so be sure you

play03:49

understand the policies and capabilities

play03:51

for redundancy and restoration as well

play03:54

as recovery behind the SAS platform

play03:56

you're working with

play03:58

retention is the next topic if you're

play04:01

storing time sensitive data in a SAS

play04:03

platform that data needs to be retained

play04:06

from more than for more than a short

play04:08

while most platforms will require you to

play04:11

remove your data or move your data

play04:13

export your data into your own retention

play04:15

facility

play04:17

data and SAS platforms does not survive

play04:19

perpetually though it can if you

play04:22

negotiate that capability with the

play04:24

provider if you're backing up the data

play04:27

to an uh to if you're backing up to date

play04:29

in accordance with your business

play04:30

continuity strategy you can focus Less

play04:33

on the SAS platform for your data

play04:35

retention as long as your workflows do

play04:38

not require extensive historical data

play04:40

access

play04:41

so fourth is growing bigger and more

play04:44

important every day Regulatory

play04:46

Compliance data sovereignty is in

play04:49

particular is a Hot Topic I see right

play04:51

now where is the data physically located

play04:54

several countries require that data

play04:56

created in that country stay within that

play04:58

country or the economic Union states in

play05:01

the case of the EU

play05:02

even the EU is becoming less clear I've

play05:05

seen some client legal departments

play05:07

require data created in an EU member

play05:10

State be stored in that same member

play05:12

State this is creating some challenging

play05:15

data storage strategies to be sure

play05:17

by the way we represent all the major

play05:20

data centers around the world so if you

play05:22

need a facility in a particular

play05:23

jurisdiction just let me know my contact

play05:25

information is in the description of the

play05:27

video

play05:29

um so are you subject to a regulatory

play05:31

framework and is the data you'll be

play05:33

storing in the SAS platform subject to

play05:35

those regulations well then you'll want

play05:38

to make sure you understand how you will

play05:40

maintain compliance while using a

play05:42

particular SAS provider

play05:43

another consideration is and maybe an

play05:46

advantage

play05:47

is can the SAS platform because it meets

play05:51

your compliance requirements help you

play05:53

gain a compliance status using a SAS

play05:56

might be easier to satisfy your

play05:59

regulatory obligations than building

play06:00

your own compliant environment

play06:03

okay number five that's

play06:05

misconfigurations large companies use

play06:08

over 50 SAS platforms maybe even well

play06:10

over 100. small organizations typically

play06:13

have at least 10. chances are your it

play06:15

team does not have expertise in all of

play06:18

the SAS platforms you guys are using the

play06:20

opportunity for misconfiguration or

play06:22

mismanagement of subscribers

play06:25

either providing subscriptions to people

play06:27

who don't need access you're failing to

play06:29

suspend access of separated employees is

play06:31

very high each SAS platform has its own

play06:35

security settings they're generally

play06:36

pretty straightforward and somewhat

play06:38

limited so it's easy for the person

play06:40

responsible for con for configuring the

play06:43

security on the SAS to get overconfident

play06:45

and just take a cursory approach to the

play06:48

settings

play06:48

terminology in the security

play06:50

configuration portals may not comply

play06:52

with standard industry definitions so

play06:55

you have to take great care to ensure

play06:57

that the configurations are accurate and

play06:59

they need to be reviewed periodically

play07:03

now last one is data breaches

play07:06

so our SAS system will be subject to

play07:08

attack just as any other system will be

play07:10

in fact the major SAS platforms are

play07:13

significant targets for the bad guys not

play07:15

only for the ability to hold data of the

play07:18

SAS Ransom to the SAS provider but for

play07:20

all the SAS customer information that

play07:23

can then either be sold or ransomed back

play07:25

to the customers directly

play07:27

ensure that your SAS data is encrypted

play07:29

and that the SAS platform has

play07:31

sufficiently strong security measures

play07:33

for the data you're trusting within it

play07:35

understand the notification policies

play07:37

around a breach should one occur and

play07:40

what liability the SAS provider has to

play07:43

your organization

play07:45

so leveraging a SAS can be secure and a

play07:48

sound strategy in fact most SAS

play07:51

platforms have stronger security

play07:52

capabilities than a typical business

play07:54

simply due to their larger scale and

play07:57

scope as well as needing to protect

play07:59

their brand that would be damaged would

play08:01

or should an event occur

play08:05

you do need to take additional steps

play08:07

though to complete your security

play08:09

position okay so that's SAS and six

play08:13

steps to help you manage your security

play08:16

posture I promised a bit of a bonus um

play08:19

at the end of this video so a natural

play08:21

question that we get when discussing SAS

play08:23

security is how does a cloud access

play08:27

security broker or casby enter into my

play08:30

SAS security strategy it's a good

play08:32

question and requires some careful

play08:34

consideration

play08:35

so caspy's provided great security

play08:38

approach for all Cloud workflows whether

play08:40

they're SAS or other clouded Services

play08:42

however caspies are more useful for

play08:46

controlling data moving through the

play08:48

cloud environments and identifying

play08:49

Shadow I.T or unsuctioned unsanctioned

play08:53

SAS and other cloud services

play08:55

Advanced caspies can play a role in data

play08:58

governance for the SAS as well the

play09:01

reality though is that very few

play09:04

organizations have caspies today so

play09:06

while they might play a role in SAS

play09:08

security at some point in the future we

play09:10

need security strategies that work now

play09:12

for the SAS applications that we're

play09:15

using now

play09:16

so if you want to explore more ways to

play09:19

secure your organization feel free to

play09:20

reach out to me my contact information

play09:22

is in the description of this video if

play09:24

you got some value out of this video I'd

play09:26

appreciate a like a thumbs up uh and

play09:28

thank you very much for doing that in

play09:30

advance I appreciate it

play09:31

if you'd like to come back to this

play09:33

channel in the future the best way of

play09:34

doing that is to hit the Subscribe

play09:36

button

play09:37

thanks very much for watching and I hope

play09:39

you have a great day

Weitere ähnliche Videos ansehen

M1.L6. Cloud Computing

What is SaaS | Software as a Service Explained in 3-minutes | Cloud Computing | Intellipaat

Power Apps Interview Questions on Canvas

Cloud Computing In 6 Minutes | What Is Cloud Computing? | Cloud Computing Explained | Simplilearn

Tackling the legacy application challenge

Cloud Computing in 2 Minutes

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Ähnliche Tags
SaaS SecurityCloud ServicesData ProtectionAccess ManagementBackup SolutionsBusiness ContinuityRegulatory ComplianceData SovereigntyMisconfiguration RiskData BreachesSecurity Best Practices
Benötigen Sie eine Zusammenfassung auf Englisch?