Overview

Google, Adobe, Slack, Mailchimp. Many of today’s most successful businesses – on the web, and, actually, overall – are Software as a Service (Saas). It’s the default software distribution model for the cloud computing age – applications hosted on remote servers and delivered via the internet to users.

They have the advantage of being accessible anywhere with a web connection, usable across multiple devices and being easy to update. They also require less local storage space and customers can quickly scale their licenses up or down according to their needs.

Because of this flexibility, scalability and cost-efficiency, IT teams are shifting their applications to the cloud wherever possible. In fact, the 2019 SaaS Trends Report found that spending on SaaS licenses increased by 87% last year, and that companies now spend more on SaaS products than they do on laptops.

But SaaS and cloud computing has one major issue – security. Concerns around security are the number one barrier to cloud adoption. And 92% of C-suite respondents to one survey said they felt customer data stored in the cloud was vulnerable to attack.

SaaS security fears

The research surveyed more than 100 enterprise IT executives worldwide, to identify the leading security challenges they face with their SaaS vendors. Overall, those surveyed said they are troubled by the current level of security and accountability provided by their SaaS vendors. Nearly two-thirds are so concerned that they intend to retire applications that do not provide the level of security control they want. Further, nearly all executives surveyed stressed the importance of maintaining ownership of their own encryption keys. Yet in third-party SaaS private cloud deployments, the SaaS vendor (not the enterprise) maintains access to and ownership over encryption keys. In fact, only 26 percent of those surveyed stated that they have control of their encryption keys, and 74 percent stated that control is maintained entirely by their SaaS vendors. This risk is compounded by the fact that many vendors often use the same encryption keys for multiple customers. When companies unlock data for one customer using keys that also protect other customers’ archives, they are exposing other tenants’ data to potential risk. As one Director of IT at a large U.S.-based manufacturing company commented, “I’ve seen too many strong companies go out of business, and have also audited our vendors and seen great vendors fall out of compliance. Having them in control is just one more additive risk.” Sometimes the right approach is to secure the applications and make sure that they are used responsibly.

Recommendations to improve your SaaS security

It is recommended to adopt the following best practices::

• Make sure that everyone in your company has and uses a proper password manager like LastPass or 1Password. You may want to consider requiring hardware security keys like the ones from Yubico. Google has had great success in preventing phishing attacks simply by requiring employees to use physical security keys for two-factor authentication.
• Data in transition must be encrypted end to end. To ensure the highest level of security, all interaction with servers must happen over SSL transmission.
• Ensure your vulnerability testing is rigorous and ongoing. Make sure the vulnerability and incident response tools provided by your cloud service vendor are industry-leading ones.
• You may also benefit from using SaaS management tools like Torii, Basaas, Drag, Bettercloud, etc. especially if you use a large number of software services or have a problem with shadow IT.
• Torii, a SaaS management platform, can help you discover and evaluate all of the cloud-based applications used within your organization.