6 Steps to SaaS Security
Summary
TLDRIn this video, Steve Murphy discusses the complexities of SaaS security, emphasizing that while SaaS providers are responsible for security, organizations must also take precautions. He outlines six best practices for SaaS security, including access management, backup strategies, data retention, regulatory compliance, misconfiguration prevention, and data breach readiness. Additionally, he touches on the role of cloud access security brokers (CASBs) in SaaS security strategies, offering practical advice for securing SaaS applications.
Takeaways
- đ Software as a Service (SaaS) is becoming the dominant strategy for software providers, offering advantages like subscription-based licensing, simplified deployment, and automatic updates.
- đ While SaaS providers are responsible for securing the application, customers must also conduct due diligence to ensure the provider's security measures meet their requirements.
- đ„ Access management is crucial in SaaS applications, requiring role-based access controls and granular permissions to segregate sensitive information and user roles effectively.
- đ Backup and business continuity are essential, as SaaS platforms may experience outages. Organizations should maintain their own data backups and understand the platform's redundancy and restoration policies.
- đ Data retention policies must be clear, especially for time-sensitive data. SaaS platforms may require data removal or export to the customer's retention facility, depending on the service agreement.
- đ Regulatory compliance and data sovereignty are increasingly important, with some countries requiring data to be stored within their borders. Organizations must ensure their SaaS provider complies with relevant regulations.
- đ§ Misconfigurations can be a significant risk, especially with multiple SaaS platforms. IT teams must be vigilant in configuring security settings accurately and reviewing them periodically.
- đĄïž Data breaches are a reality for SaaS systems, which can be significant targets for attackers. Ensuring data encryption and strong security measures is vital, along with understanding breach notification policies.
- đ Cloud Access Security Brokers (CASBs) can play a role in SaaS security by controlling data movement in cloud environments and identifying unauthorized SaaS usage, though their adoption is currently limited.
- đ€ Engaging with experts and staying informed on best practices is key to securing SaaS applications, as the landscape is continually evolving and new threats emerge.
Q & A
What is the primary advantage of Software as a Service (SaaS) for application providers?
-The primary advantage of SaaS for application providers is the subscription-based licensing model, which creates a consistent revenue stream and a stable cost structure for the customers.
Why is it important for customers to conduct due diligence on their SaaS provider's security?
-It's important for customers to conduct due diligence on their SaaS provider's security to ensure that the provider's security posture and procedures are sufficient and at least match the customer's requirements, as relying on someone else for data security does not absolve the customer from ensuring data safety.
What are the six security best practices for SaaS applications mentioned in the script?
-The six security best practices for SaaS applications are: 1) Access Management, 2) Backup and Business Continuity, 3) Retention, 4) Regulatory Compliance, 5) Misconfigurations, and 6) Data Breaches.
Why is role-based access control important within a SaaS platform?
-Role-based access control is important within a SaaS platform to ensure that only those allowed to interact with sensitive data have access to it, thereby preventing unauthorized access and maintaining data security.
What should organizations consider regarding backup and business continuity when using a SaaS platform?
-Organizations should consider understanding the policies and capabilities for redundancy and restoration, as well as recovery behind the SaaS platform, and maintain their own backups of data to ensure business continuity in case of a platform failure.
Why is data retention a concern when storing time-sensitive data in a SaaS platform?
-Data retention is a concern because most platforms require data to be removed or exported after a certain period, and data in SaaS platforms does not survive perpetually unless negotiated with the provider.
What is the significance of regulatory compliance in the context of using a SaaS platform?
-Regulatory compliance is significant as it ensures that the data stored in the SaaS platform adheres to legal and regulatory requirements, such as data sovereignty, which can affect data storage strategies and compliance status.
How can misconfigurations pose a risk in the use of multiple SaaS platforms?
-Misconfigurations can pose a risk by providing unauthorized access or failing to suspend access for separated employees, as each SaaS platform has its own security settings that may be prone to mismanagement due to overconfidence or lack of expertise.
What measures should be taken to protect against data breaches in a SaaS environment?
-To protect against data breaches, ensure that SaaS data is encrypted, the platform has strong security measures, and understand the notification policies and provider liability in case of a breach.
What is the role of a Cloud Access Security Broker (CASB) in a SaaS security strategy?
-A CASB provides a security approach for all cloud workflows, controlling data movement through cloud environments, identifying Shadow IT, and potentially playing a role in data governance for SaaS. However, their adoption is currently limited, and immediate security strategies for existing SaaS applications are necessary.
What is the speaker's suggestion for viewers interested in securing their organization further?
-The speaker suggests that viewers interested in securing their organization further should reach out to him for more information, with his contact information provided in the video description.
Outlines
đ Understanding SaaS Security Responsibilities
The first paragraph introduces the growing trend of Software as a Service (SaaS) and its advantages, such as subscription-based licensing, simplified deployment, and automatic updates. It emphasizes that while SaaS providers secure the application, customers must also ensure the security of their data. The speaker, Steve Murphy, outlines six security best practices for SaaS applications, starting with access management and the importance of role-based controls. He also mentions the need for customers to conduct due diligence on their SaaS providers to ensure their security measures meet the required standards.
đ Key Considerations for SaaS Security and Data Compliance
The second paragraph delves into the complexities of data retention, regulatory compliance, and the importance of data sovereignty, especially within the European Union. It discusses the challenges of configuring numerous SaaS platforms correctly and the risk of mismanagement. The paragraph also addresses the potential for data breaches in SaaS systems and the necessity of encryption and strong security measures. It concludes by discussing the role of Cloud Access Security Brokers (CASBs) in SaaS security strategies, noting their current limited adoption and suggesting that immediate security strategies are needed for existing SaaS applications.
Mindmap
Keywords
đĄSaaS
đĄSecurity
đĄAccess Management
đĄBackup and Business Continuity
đĄRetention
đĄRegulatory Compliance
đĄMisconfigurations
đĄData Breaches
đĄCloud Access Security Broker (CASB)
đĄData Sovereignty
đĄShadow IT
Highlights
SaaS services are increasingly popular for their convenience and the shift of software vendors to cloud-based applications.
Security in SaaS is a shared responsibility, not solely the provider's, and requires a clear understanding of responsibilities.
SaaS offers advantages like subscription-based licensing, simplified deployment, and automatic updates.
Customers must conduct due diligence on SaaS providers to ensure their security measures meet or exceed requirements.
Six security best practices for SaaS applications are outlined for better data protection.
Access management is crucial, with a need for role-based controls and granular permissions within SaaS platforms.
Backup and business continuity plans are essential, as SaaS platforms may not provide access to their backups.
Data retention policies must be clear, as SaaS platforms may not retain data indefinitely.
Regulatory compliance and data sovereignty are significant, especially with data location requirements.
Misconfigurations are a common risk with multiple SaaS platforms, requiring careful management and review.
Data breaches are a reality, and SaaS platforms must have strong security measures and encryption.
Understanding notification policies and provider liability in the event of a breach is important.
Most SaaS platforms have robust security capabilities due to scale and brand protection needs.
Cloud Access Security Brokers (CASBs) can play a role in SaaS security, especially for data governance.
CASBs are more useful for controlling data in cloud environments and identifying unauthorized cloud services.
The adoption of CASBs is currently low, requiring immediate security strategies for existing SaaS applications.
The speaker offers to help explore more ways to secure organizations and provides contact information.
A call to action for likes, subscriptions, and future video engagement is presented.
Transcripts
SAS services are great convenience to
most organizations more and more
software vendors are putting their
applications in the cloud and converting
them into SAS services
at first glance this might seem as
though security is the responsibility of
the SAS provider however SAS is more
complicated than that so let's unpack
what you need to know and where you're
responsible for SAS security
we're going to have a bonus section at
the end to discuss one of the frequent
questions we get from clients around SAS
security hi I'm Steve Murphy I'm a vice
president at ARG and while I work for
ARG this video is my own and does not
represent the views or opinions of my
employer
software as a service abbreviated saas
and pronounced SAS is now the dominant
go to market strategy for software
providers today there are lots of
advantages for being a SAS application
which is delivered over the public
internet and usually access via
traditional web browser
some of those advantages include
subscription-based licensing where users
buy a certain number of licenses for
their users
um this is attractive because it creates
a consistent Revenue stream to the
application provider and a stable cost
structure for the customer
deployment's much simpler for the
customer and upgrades and patches are
deployed directly by the application
developer to the cloud platform so
everyone's always on the same version
from a customer perspective the your use
of the application and the data that you
load into it is generally secured by the
SAS provider you want to conduct a
significant uh some significant due
diligence on your SAS provider to ensure
their security posture and procedures
are sufficient and at least match your
requirements if not exceeding them so
having someone else responsible for the
security of your data does not absolve
you or your organization from doing its
part to ensure your data is kept safe
let's break down the six security best
practices for SAS applications
first is access management if you're
putting sensitive information in a SAS
platform only those allowed to interact
with that sensitive data should have
access to the platform makes sense right
well segregating employees based upon
the applications they need to access is
a fairly standard process but within the
SAS application itself segregating
information can become more difficult
one of the challenges with SAS is
establishing a finite access control it
might be difficult for example to keep
your accounting staff from accessing
Financial projections if both accounting
and finance are using the same financial
management system
make sure your SAS platform has
role-based access controls and you
understand how granular those controls
are we're looking for more than just the
admin user and information access type
of roles we'd like to see workflow
segregations if that's important to your
organization and the system under
consideration
next is backup and business continuity
what happens if your SAS platform fails
the notable big name SAS platforms have
had their outages typically these are
short-lived and customers just have to
keep making do and making it keeping
alternate records until the service is
restored but many organizations are
using smaller SAS platforms for
specialized services
do these smaller platforms have the same
resources to address an outage as a
Microsoft or salesforce.com
when using a SAS platform the platform
may make a backup of your data but you
may not have access to that backup most
SAS platforms require you to maintain
backups of your own data so be sure you
understand the policies and capabilities
for redundancy and restoration as well
as recovery behind the SAS platform
you're working with
retention is the next topic if you're
storing time sensitive data in a SAS
platform that data needs to be retained
from more than for more than a short
while most platforms will require you to
remove your data or move your data
export your data into your own retention
facility
data and SAS platforms does not survive
perpetually though it can if you
negotiate that capability with the
provider if you're backing up the data
to an uh to if you're backing up to date
in accordance with your business
continuity strategy you can focus Less
on the SAS platform for your data
retention as long as your workflows do
not require extensive historical data
access
so fourth is growing bigger and more
important every day Regulatory
Compliance data sovereignty is in
particular is a Hot Topic I see right
now where is the data physically located
several countries require that data
created in that country stay within that
country or the economic Union states in
the case of the EU
even the EU is becoming less clear I've
seen some client legal departments
require data created in an EU member
State be stored in that same member
State this is creating some challenging
data storage strategies to be sure
by the way we represent all the major
data centers around the world so if you
need a facility in a particular
jurisdiction just let me know my contact
information is in the description of the
video
um so are you subject to a regulatory
framework and is the data you'll be
storing in the SAS platform subject to
those regulations well then you'll want
to make sure you understand how you will
maintain compliance while using a
particular SAS provider
another consideration is and maybe an
advantage
is can the SAS platform because it meets
your compliance requirements help you
gain a compliance status using a SAS
might be easier to satisfy your
regulatory obligations than building
your own compliant environment
okay number five that's
misconfigurations large companies use
over 50 SAS platforms maybe even well
over 100. small organizations typically
have at least 10. chances are your it
team does not have expertise in all of
the SAS platforms you guys are using the
opportunity for misconfiguration or
mismanagement of subscribers
either providing subscriptions to people
who don't need access you're failing to
suspend access of separated employees is
very high each SAS platform has its own
security settings they're generally
pretty straightforward and somewhat
limited so it's easy for the person
responsible for con for configuring the
security on the SAS to get overconfident
and just take a cursory approach to the
settings
terminology in the security
configuration portals may not comply
with standard industry definitions so
you have to take great care to ensure
that the configurations are accurate and
they need to be reviewed periodically
now last one is data breaches
so our SAS system will be subject to
attack just as any other system will be
in fact the major SAS platforms are
significant targets for the bad guys not
only for the ability to hold data of the
SAS Ransom to the SAS provider but for
all the SAS customer information that
can then either be sold or ransomed back
to the customers directly
ensure that your SAS data is encrypted
and that the SAS platform has
sufficiently strong security measures
for the data you're trusting within it
understand the notification policies
around a breach should one occur and
what liability the SAS provider has to
your organization
so leveraging a SAS can be secure and a
sound strategy in fact most SAS
platforms have stronger security
capabilities than a typical business
simply due to their larger scale and
scope as well as needing to protect
their brand that would be damaged would
or should an event occur
you do need to take additional steps
though to complete your security
position okay so that's SAS and six
steps to help you manage your security
posture I promised a bit of a bonus um
at the end of this video so a natural
question that we get when discussing SAS
security is how does a cloud access
security broker or casby enter into my
SAS security strategy it's a good
question and requires some careful
consideration
so caspy's provided great security
approach for all Cloud workflows whether
they're SAS or other clouded Services
however caspies are more useful for
controlling data moving through the
cloud environments and identifying
Shadow I.T or unsuctioned unsanctioned
SAS and other cloud services
Advanced caspies can play a role in data
governance for the SAS as well the
reality though is that very few
organizations have caspies today so
while they might play a role in SAS
security at some point in the future we
need security strategies that work now
for the SAS applications that we're
using now
so if you want to explore more ways to
secure your organization feel free to
reach out to me my contact information
is in the description of this video if
you got some value out of this video I'd
appreciate a like a thumbs up uh and
thank you very much for doing that in
advance I appreciate it
if you'd like to come back to this
channel in the future the best way of
doing that is to hit the Subscribe
button
thanks very much for watching and I hope
you have a great day
Voir Plus de Vidéos Connexes
M1.L6. Cloud Computing
What is SaaS | Software as a Service Explained in 3-minutes | Cloud Computing | Intellipaat
Power Apps Interview Questions on Canvas
Cloud Computing In 6 Minutes | What Is Cloud Computing? | Cloud Computing Explained | Simplilearn
Tackling the legacy application challenge
Cloud Computing in 2 Minutes
5.0 / 5 (0 votes)