The recently published Infinite Campus Data Breach provides us a good segue into the topic of data security in the SaaS environment – how it differs from security in general, and what special care should be taken to ensure your data remains secure.
What is SaaS?
Software as a Service (SaaS) is a description for business models introduced by the Cloud, with the three primary names in that category being Google Cloud, AWS, and Microsoft Azure.
In the most simplified terms, SaaS is a cloud-based software delivery model where applications are hosted by a provider and accessed over the internet on a subscription basis. This allows organizations to better scale their global footprint and offload much of the overhead costs onto someone else, making use of their infrastructure.
SaaS and Security
The difficulty arises when you begin thinking about your software provider not only in terms of simple logistics – what can they give you access to and how can this help your business grow – but in terms of security. In order to make use of this software, which is by definition not locally hosted, you need to allow their systems access to yours at least in some capacity.
And here we immediately see where security in the SaaS environment comes into play and how it meaningfully differs from other security concerns: it’s not only your security processes that are suddenly in play, but also those of your partner organizations.
In the case of the aforementioned Infinite Campus breach, the accusation being made is that the data breach was made by leveraging their Salesforce environment rather than getting direct access to internal databases.
The difficulty lies in that if you make use of a SaaS partner’s offer, you open a new potential avenue for data exposure without having any measure of direct control over that avenue. At the same time, SaaS is an integral part of many current business models and cannot simply be thrown away.
What can be done?
The name of the game is isolation and adhering to best practices. Every industry standard from Zero Trust onwards should build towards ensuring that a security failure in one department, data silo or software environment exposes only that portion and nothing more.
Identity and access management is a large part of this – with employees accessing the online system from various locations, it is at once more difficult and more imperative than ever to authenticate them and ensure only those with correct permissions can gain entry.
Beyond this layer, you need two more – a system of monitoring to notify you of out-of-pattern behavior and warning signs, and a data security layer backstopped by an immutable backup. As we’ve said before, the security onion is not infallible and a good disaster recovery and mitigation strategy is a must-have for when, inevitably, something fails.
Your Data in Your hands – With TECH-ARROW
by Matúš Koronthály
Image generated by Canva
