How to Secure Your SaaS Application
Serious security concerns
The Software as a Service (SaaS) model has been gaining in popularity in the business world in recent years as an alternative to on-premises software deployment. Also known as on-demand, hosted or web-based software, the model entails the delivery of cloud-based applications via the internet.
The service provider is responsible for the service’s security, availability and performance so SaaS is a natural choice for businesses (especially small ones) that want to save on IT infrastructure installation and maintenance, as well as on software license purchases.
Additionally, a SaaS subscription can be adjusted on a monthly basis as a company’s demand for services changes. A 2019 report by Blissfully shows that SaaS spending and adoption have been growing quickly across all company sizes since 2014.
In 2018, the average company spent USD 343,000 on SaaS, a 78% increase y/y. In that same year, the average SaaS subscription cost per one employee (USD 2,884) was higher than the cost of a new laptop with the software/hardware spending gap expected to continue to widen in the near future.
Serious security concerns
Admittedly, some firms are wary of adopting SaaS applications with security remaining a common concern – after all, the model means that sensitive company data are entrusted to a third-party service provider. Issues such as access management come to the fore.
Indeed, with many companies now offering their main product as a SaaS application, serious costs and other business damage can be incurred in the event of an application being compromised or brought down by hackers.
SaaS applications can be exposed to distributed denial-of-service (DDoS) attacks that lead them to use many cloud resources they do not need and can even put them out of service. Data tampering is another potentially serious issue. Of course, such risks can be mitigated.
One should consider using WAF (web application firewall) or other web API protection solutions offered by cloud providers or third parties, said Nir Makmal, a Microservices software architect at Toga Networks and a cybersecurity expert.
During his stint at his previous organization, Check Point Software Technologies, Makmal dealt with next-generation AI-based firewall innovations and architected a system aimed to protect identity and biometrics data.
According to him, most businesses are not doing enough with regard to security because they are not (or do not want to be) aware of the risks and costs of an unsecured system. Meanwhile, most SaaS products are publicly available and relatively vulnerable to being tampered with.
Cheap and effective
He likened the situation to those we encounter in our private lives – people are more likely to spend money on a Netflix subscription than on a mobile phone antivirus program just like they are more likely to invest in electric car window features than in additional airbags or other car safety features.
However, in his opinion, in the coming years, security measures will stop being a luxury and more companies will start focusing on security features as the core of the design in the early stages of software development.
Today, they are often added as a plugin when a product is deployed to production. Makmal argued that there are a number of inexpensive yet effective measures that companies (including startups which usually have limited financial resources at their disposal) can take in order to ensure greater security of a SaaS application.
For example, using the root cloud account on a daily basis should be avoided – instead, cloud sub-accounts for accessing the cloud console should be created with users to be always only given the privileges they need.
When possible, multi-factor authentication should be used. Any default passwords for modules or services installed at the SaaS infrastructure should be changed. Personally identifiable information needs to be handled in compliance with privacy regulations. It is also important that a SaaS system supports full multi-tenancy isolation so that different customers cannot share restricted private data. “Most security breaches are related to misconfiguration or misusing IT software,” Makmal claimed.
Prabalta is a founder, author, journalist, technophile, and technical writer, and blogger with over 15 years of experience in the media industry. She has also worked as a Content Development and PR expert at various media relations agencies that help brands generate leads and enhance their reputation.