Software development companies should consider following security factors in SaaS development and deployment:
- Security of the data
- Segregation of data
- Security in the network
- SaaS deployment model
Security of the Data
In the good old days of on-premise application deployment model, the critical data of each enterprise was placed within the enterprise boundary and was in context to its physical, technical and personnel security and--access control policies suggested by software companies. But, in the SaaS model, the organization’s data is stored outside the enterprise edge, at the SaaS vendor end. Consequently, the SaaS vendor must adopt added security checks to ensure security of the data and prevent breaches due to security weaknesses in the application or through vindictive employees. This involves the use of strong encryption techniques for data security and a granular authorization to control access to data.
In Amazon alike cloud vendors,administrators are unable to access the customer instances and can’t log into the Guest OS. To gain access to a host the administrators who have a business need are compelled to use their own strong cryptographic SSH keys. Logging and routine auditing of such accesses is carried out. While the data at rest in storage service offered by vendor is not encrypted by default, the encryption of data is done by users before uploading it to Amazon, so that it isn’t accessed or tampered by any illicit party.
Segregation of data
Security checks need to be implemented to ensure data security and prevent unauthorized access to data of one tenant by users of other tenants. This involves hardening the data store and applicationso as to segregate the data.
If the SaaS application is deployed at a third party cloud service provider, added safeguards need to be adopted so that application tenant’s data is inaccessible to other applications.
Security in the network
According to software development companies, in a SaaS deployment model, critical data is obtained from the organizations, processed by the SaaS application and stored at the SaaS service provider end. Security of all the data that flows over the network is mandatory in order to prevent sensitive information from leaking. This involves the use of strong network traffic encryption techniques such as SSL and TLS for security.
In case of AWS, the protection against MITM attacks, IP spoofing, port scanning, packet sniffing, etc. is provided by the network layer. With the help of SSL encrypted endpoints, Amazon S3 is accessed, for maximum security. To ensure that data is transferred securely within AWS as well as to and from sources outside of AWS, encrypted endpoints are accessible from both the Internet and from within Amazon EC2.
The SaaS apps of the service providers need to ensure that organizational clients are provided with service round the clock. This involves making changes in the architecture at the application and infrastructural levels to add scalability and high availability. Adoption of a multi-tier architecture should be done, supported by a load-balanced farm of application instances, running on large number of servers. Resistance to failures in hardware and software, as well as to DOS attacks, needs to be built starting from the bottom and up within the application.
At the same time, BCP and DRP needs to be considered for any unintended emergencies. This is essential to ensure the safety of the client data and marginal downtime for enterprises.
The SaaS vendor needs to ensure that all critical data of the client organization such as a software development companyis regularly backed up to facilitate quick recovery and restoration in case of disasters. To prevent the sensitive information from accidental leakage, backed up data is protected using strong encryption techniques.
In the case of cloud vendors such as Amazon, the stored data in S3 is not encrypted by default. The users need to separately encrypt their data and backup it, so that it cannot be accessed or altered with by illicit parties.
SaaS Deployment Model
Deployment model used by the vendor is the major differential factor in the types of SaaS security challenges faced by the organization. SaaS service providers may choose either between deploying the solution themselves or doing it using a public cloud provider. Amazon is a dedicated public cloud provider that helps to build secure SaaS solutions by providing infrastructure services that helps in ensuring perimeter and environment security. This involves the use of firewalls, intrusion detection systems, etc. whereas if it’s a self-hosted SaaS deployment, it requires the vendor to build these services and assess them for security weaknesses.
Software as a Service [SaaS] is quickly emerging as the leading delivery model for meeting the needs of enterprise IT services. But most software development companies are still uncomfortable with the SaaS model due to dearth of visibility about the way their data is stored and secured. Subsequently, addressing organizations’ security concerns has emerged as the biggest challenge for the adoption of SaaS applications