SaaS Meets Security: Protecting Business Data in the Cloud
In the last decade, businesses have become increasingly reliant on IT and computing innovations for success. As such, protecting intellectual property, client and employee records, and other private or critical data stored within information systems is a challenge. Traditionally, applications used by companies to store and access these types of data were hosted on site. Recently, however, enterprises have migrated workloads from traditional on-premise infrastructures to cloud environments.
Many organizations, particularly small and medium-sized businesses, start with Software as a Service (SaaS), applications that are hosted by third-party vendors and accessed via the Internet — typically, through a web browser. The advantages of SaaS over internally hosted systems include reduced licensing, maintenance, system and training costs, and the ability to access the application anywhere, anytime, and from any computer or device. Despite these advantages, concerns about security and a lack of visibility into where — and how — the data is stored cause some businesses to approach the cloud with trepidation.
A move to the cloud may be the right decision for your business, but it's not something that should be undertaken lightly. As you determine which workloads to migrate, consider such aspects of the data as sensitivity and criticality to business operations. In addition, make sure that your vendor provides adequate security controls, including policies, procedures and protection measures in the following areas. In SaaS deployments, the vendor maintains control over security at the infrastructure, platform and application layers, but it's your responsibility to ensure that your data is safe and compliance requirements are met.
Data Security. When data storage is maintained by the business, the information is kept within company boundaries, and is subject to the company's physical and system access control policies. Ensure that SaaS vendors have strong access controls, policies and procedures, as well as additional security meaures — encryption and authorization with logged access, for instance — designed to prevent data breaches.
Network Security. Data being transferred to and from the SaaS vendor for storage must be secured and encrypted through cryptographic protocols, such as Transport Layer Security (TLS) and Secure Socket Layer (SSL).
Regulatory Compliance. If compliance is a concern, request audit reports that demonstrate that the vendor's safeguards meet regulatory and industry standards for the protection of personal or sensitive data. The Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standards (PCI DSS) specifically deal with storing, transmitting and accessing sensitive information.
Data Segregation. In multi-tenant environments, where a third-party vendors houses information from multiple unrelated companies, setting Identity and Access Management (IAM) permissions at the bucket and object levels can prevent one client from accessing data belonging to another.