Software-as-a-Service (SaaS) platforms offer a well-established way for companies to reduce their infrastructure costs while accessing the latest and greatest software and hardware solutions. However, even with the success of SaaS, some companies are still reticent about allowing their company data to be placed somewhere in the ‘cloud.’ Many still have concerns that any company data that isn’t physically located on-premise is vulnerable.
The fact is that the cybersecurity measures used to protect data by today’s premium cloud services such as Microsoft Azure, mCloud’s provider of choice, are far more stringent than most companies. But with the ever-growing number of cyber attacks, it makes sense for companies to want to take every precaution they can to protect their data.
There are several internal cybersecurity measures companies can take to ensure their data is safe while reaping the benefits of cloud-based solutions. Michael Anaka, director of information technology at mCloud, breaks it down below on how to best ensure your company is protected when using a SaaS platform.
1) Data Encryption
Data encryption should be a priority for all SaaS providers and customers. When implemented properly, data should be encrypted while at rest (stored), in transit between the customer and the cloud, and between cloud applications and while in use.
By simply inquiring with a SaaS provider if data is encrypted in all 3 stages, you greatly increase the security of your data.
2) Multi-Factor Authentication (MFA)
MFA is now ubiquitous among the top cloud service providers. While no security measure is foolproof, MFA is close to 100% effective in ensuring that the user accessing the application or website is who they say they are. This usually involves the cloud service provider texting a code to the user’s mobile phone, or utilizing a mobile MFA application that they will need to input in addition to their email and password.
3) Single Sign-On (SSO) Integration
Implementing an SSO solution as a part of the larger Identity and Access Management framework, employees can access all company-approved SaaS as well as on-prem applications without having to continuously log in. This means secure access to these applications is dependent upon your company’s internal IT department and not upon the application service provider. Security is firmly under the company’s control. If an employee leaves the firm, for instance, the SSO account can be immediately disabled on both cloud-based and on-prem applications.
Security Assertion Markup Language (SAML) is the common authentication standard used for most enterprise SSO to securely transfer user authentication data between the company and the service provider. With this method, users don’t need to remember multiple usernames and passwords and SaaS providers don’t need to store passwords and or address forgotten passwords.
4) Cybersecurity Training
A very important step in ensuring your company’s security is protected whether on a SaaS or on-prem application is having your employees receive regular cybersecurity awareness training. The training should cover everything from passwords, to recognizing phishing attempts to URL redirects.
Why training? Because employee awareness and knowledge is always a company’s last line of defense in cybersecurity. Your company can implement the above recommendations above while integrating the most sophisticated spam and malware detection software on the market, but if an employee has their password taped to their computer or provides it inadvertently to someone posing as an outside IT or security vendor, then all the security precautions in the world won’t help.
5) Password Complexity
If SSO integration or MFA isn't possible, then a company’s best bet is to enforce a strict password policy that ensures employees are creating complex passwords. While many are familiar with the usual best practices in creating a secure password such as including special characters and capital letters, security specialists now often recommend using nonsensical phrases such as “the fox jumped water pond” that hackers and their software would have a difficult time breaking.
A word of caution regarding fingerprint readers: it’s a common misconception that systems access via fingerprint reader is safer than typing in a password. The fact, is however, that most fingerprint readers only mask the need to type in your password. So, the password still must be the best it can be.
By adopting the cybersecurity measures identified above, companies considering a SaaS solution should feel comfortable that they are in charge of protecting their data and don’t have to depend solely upon the security of an outside vendor.