Attention SaaS providers: The keys to securing your SaaS environment

Software-as-a-Service (SaaS) applications are all around us: you may start your day by checking your email, hopping on Facebook and LinkedIn for quick updates on everyone’s activities, or scan Twitter for new updates. SaaS, SaaS and more SaaS. By the time you finish your morning routine and get to work, you’ve darting around from SaaS app to SaaS app without giving it a second thought.

Behind the scenes of all these apps are armies of developers, network administrators and IT experts ensuring these services are available to us, all day, everyday. We take it for granted that our favourite social, game, news and travel-booking apps will be there when we want them. But what if they weren’t?

What if, unbeknownst to us, our favourite app was taken down by a cyberattack? What if while we were waiting for our favourite game to load, or a travel app to find us the cheapest flight to Paris, behind the scenes a successful SQL injection or Cross-Site scripting attack had given an attacker access to our data? As consumers, we would initially assume that there was a problem with our own Wi-Fi; we would close the app or webpage and move on to something else. But, somewhere far away, the SaaS provider would be at Defcon 1, trying to stop a fast-moving attack before it brought business to a screeching halt.

Availability is everything for SaaS

While every business is susceptible to the negative impacts of a successful attack, SaaS providers may have the most to lose if an attacker breaches their walls and pillages their environment. For the SaaS provider, availability is everything. For B2C apps, if the consumer is unable to access your app there is a good chance they may not return. For B2B users, having a critical app unavailable could mean that businesses can’t conduct business. If that happens, you as the SaaS provider might find yourself on the wrong end of a cancellation notice. There are many reasons your SaaS app may experience availability issues, but the most damaging — and potentially hardest to uncover — is availability issues due to a successful cyberattack.

As the provider of a SaaS app, you need to do all that you can to make sure you are prepared. You have to plan for the worst (and hoping that the worst doesn't happen does not constitute a plan). To that end, every SaaS provider, no matter the size, must have a rock-solid security framework.

Here are four security framework tips that SaaS providers need to hold near and dear to their heart:

1. Security is a shared responsibility

You selected your cloud hosting provider for any number of reasons. Maybe you preferred one management console to the other, or you negotiated favourable usage rates. Regardless, it is important for you to understand that securing your SaaS applications is your responsibility. Your cloud provider will ensure the foundation is secure (hypervisor, compute, storage etc.), but anything you run in your cloud environment is your responsibility to protect. You must have a plan to manage access, patching, configurations threat detection, and a host of other security-related tasks. Don't fall prey to the false notion that your cloud provider takes care of your security. They don’t.

2. Take your own advice

You are delivering your offerings to customers via a SaaS deployment model for innovation, speed to market, to manage your costs better and, hopefully, increase the profitability of your offering. When you sell your offering to customers, your value proposition includes the following sentiment: By using your SaaS application, your customers can offload their non-core competency needs to you so they can focus on their business. Now back to you.

Unless you are building security solutions yourself, security likely isn’t your core competency. When it comes to securing your own environments, do yourself a favour and take your own advice. Look for SaaS security solutions to protect your environments. There are a number of choices available, from open source solutions to advanced customisable solutions. And if you can find someone to manage those solutions for you, even better.

3. Feed the beast

The best way to secure your SaaS environment is to take full advantage of the data that it continuously generates — network traffic and log data, application requests, user activity, etc. Locked deep inside this data, hiding amongst largely irrelevant information, there possibly lays the indicators of a compromise. Don't let this data lay dormant. No matter what sort of security solution you ultimately choose, make sure that you are continuously analysing this data, or having someone analyse it for you.

4. Reaching the summit is only half the battle

In mountain climbing, most accidents do not happen on the ascent to the summit; rather, it is the descent where the vast majority of fatalities occur. When climbers are heading toward the summit, they are laser focused on their objective. Each step taken is precise and thoughtful. Standing on the summit after days of climbing, the climbers are overjoyed with what they have accomplished, and they relax. This is when trouble can happen.

The adrenaline that was fueling their climb evaporates and that focus that helped them reach the top of the mountain is long gone. Similarly, the figurative mountain you are climbing is comprised of zeros and ones. Getting your SaaS application to market securely is no small feat, so it is natural for you and your team to celebrate this milestone. However, it is important to remain vigilant on your descent. Ensure that as you grow, you take care when adding resources and users to your cloud environment. Don't let a user that is mistakenly given administrative privileges be the reason you are compromised.

By keeping these four tenets top of mind, you can limit your exposure and risk. Attacks will keep coming, and no security framework will be 100 per cent foolproof; however, with the right approach and diligence you can give yourself a fighting chance to stay ahead of the game and make sure your SaaS app delivers the value your customers demand.

Richard Cassidy at Alert Logic