There is - for many good reasons - much talk about cybersecurity and if you are not an expert (which I am certainly not - but I have skilled people helping me with this) it can be difficult to navigate the jungle of technical terms and assess the vulnerabilities and level of risk in what is a multi-billion ($) industry.
In our company information security is something we take extremely serious since our product and only distribution channel is online, which is why protecting our customers' data is embedded in everything we do - the life of our company depends on it.
Without getting too deep into technical jargon the protection of data in Software as a Service is primarily centred around three entities and the connections between them; 1) the hosting environment, 2) the vendor's internal set-up and 3) the end-users’ IT-environment.
If your SaaS-vendor is using one of the top two or three hosting partners you are sure they adhere to the most rigorous security requirements on hosting but you should also explore if:
APIs and connections are encrypted (AES 256)
all databases are encrypted and decrypted in real time
how often backups are done
a redundant set-up/offsite replica (a secondary mirroring of the data, which can take over if the first goes down) is in place, which is not given unless your vendor specifically has chosen that solution (and pays for it)
the vendor’s own access to the production database is limited i.e. to on-premise IP-numbers to ensure that access to the most vulnerable point is restricted and that both the digital and physical access to computers are managed carefully.
One element that is out of the vendor’s control is the customer’s behaviour and systems. The UK Government provides us with good advice on 5 actionable cybersecurity controls provided by The National Cyber Security Centre.
The two-factor authentication mentioned in advice number 2 is an effective way to close a gap where the vulnerability of the user potentially can have big (read: extreme) impact. You probably know it from payment systems where you have to receive a code on your mobile device before being able to complete a transfer.
At Human Risks, we have implemented two-factor authentication free of charge for our customers to use so that we are as certain as we possibly can be that it is the right person with the right authorisation to log in to our platform. With two-factor authentication, we have reduced the risk of negligent password behaviour being exploited substantially and closed a potential vulnerability on our customers’ side.
Any important points about the vulnerabilities of SaaS and how to mitigate them I have left out? If so - don't hesitate to comment.
If you are interested you can download our IT Security White Paper here...