SaaS: Security, Challenges, Solutions
Software-as-a-Service (SaaS) is a cloud service model where the vendor runs a software application in the cloud, and customers are only given access to that application (not the operating system or even the platform, middleware, or programming environment used to develop the application). However, some applications may offer their own programming interfaces to customers.
A SaaS application is often hosted in an IaaS cloud offering provided by a different service provider - most commonly the Amazon Cloud.
Sometimes a software business model based on annual (or monthly) license fees is also called SaaS. However, we distinguish that as a separate topic and use SaaS to strictly refer to software offered from the cloud.
SaaS raises new security concerns related to vendor security practices, identity and access management, backups, and business continuity.
Infrastructure Risks Hidden but Still There
The SaaS model hides traditional security risks relating to physical access, operating systems, storage, and applications from the customer. However, the risks have not disappeared; they simply get ignored because they are no longer under the control of the customer. Most cloud service providers, however, offer no guarantees of their security practices, at least not to smaller customers.
Identity and Access Management Integration
The integration of access control to the enterprise's identity and access management (IAM) practices typically remains a task performed by the customer. It is important to ensure that access to cloud services is properly provisioned and terminated when people change roles or leave the organization.
Some applications support encrypting the stored data using keys held by the customer. Others encrypt the customer's data using keys held by the service provider. Most applications do not perform or document any data encryption.
Taking backups of the data stored in the application in a different cloud service or on the customer's premises may be essential for continuity in the event the service provider suddenly ceases to exist.
Cloud Access Security Brokers
Cloud access security brokers are policy enforcement points on-premise or in the cloud, that may perform integration between the organization's IAM and encryption solutions and applications in the cloud.