Often overlooked as a key component when selecting a Software-as-a-Service (SaaS) vendor, **SaaS security** should remain near the top of your list of considerations. Securing your organization’s data and reputation becomes a primary concern when multiple users work with the same instance of an application in a tenant implementation, possibly on servers leased to your SaaS vendor by a third party.
SaaS security demands secure transfer of data between an organization and the application provider. It requires not only authentication, but also authorization of users. Not all users of an application in an organization need the same privileges.
With the increased use of mobile devices, providing adequate SaaS security might require varying authorization by device. For instance, providing authorization to a greater range of services when accessing the application in the office and fewer services when accessing through a laptop, which could be easily lost or stolen, makes sense.
Best practices for SaaS security call for authentication and authorization information to reside in different databases on different servers. That way, when an authenticated user requests access to certain features of an application, an encrypted authorization key must be sent from a separate server to the application before access is granted.
It is common for SaaS companies to place multiple users on a shared database or a single server. The ability to encrypt your data on the server increases the level of security. Rather than risk data bleeding over or getting combined with that of another organization, your data should be uniquely encrypted. Even if someone gains unauthorized access – deliberately or through a malfunction – your data remains unread.
The SaaS software should also provide a means to monitor usage for the purpose of looking for unusual patterns that indicate attempts at unauthorized access. There are also predictable patterns that indicate attempts at hacking. If the software detects prohibited activity, it takes action to minimize damage.
Of course, SaaS security also demands securing the physical location of your data. It is easy to forget in the cyber world that data must actually reside in a physical location. Do you know where that location is, and how secure it is against disaster? Is your data vulnerable to an East Coast hurricane or a Midwest tornado? How easy would it be for someone to gain physical access to the servers and do damage?
The key to SaaS security is to keep from having a single make-or-break point for authentication and authorization. A layered approach, providing several decision points while monitoring the behavior of users, provides the best security for your data and your organization’s reputation.