Five questions about cloud security for SaaS vendors

Clearly, software as a service (SaaS) continues to grow and is accepted by business and home users. According to Gartner's announcement in July 2011, SaaS revenues reached $10 billion trillion in 2010 and are growing. In fact, Gartner estimates that it will grow more than 20% in 2011 years and come to 12.1 billion dollars.

According to Gartner's definition of SaaS, Software "is owned, provided, and managed remotely by one or more vendors." Vendors provide applications through common program code and data settings, and adopt a One-to-many model to provide to contract clients at any time. Can be used for billing, or a variety of other package subscription mode. Almost every article or lecture on a related topic is salesforce.com, although they are the main providers in the SaaS domain, but know that SaaS has many different types. Customer relationship Management, human resources management, cloud Backup, collaboration platform, Accounting audit platform, Service Support Center management, hosting services and web/email filtering, and so on, abound.

for vendors and customers, it is obvious that the cost of using SaaS is much more attractive than the cost of their own software and services. Because of the centralized nature, SaaS vendors can quickly and easily update and manage software and services, and can directly observe customer usage patterns to improve applications. Its scalability and quantity-pricing models are attractive to customers and suppliers. In addition, it offers more resilient integration capabilities and an open interface, and many SaaS providers are starting to provide collaborative capabilities or open interfaces (APIs) for the social media model.

Although SaaS can provide a flexible and cost-effective application environment to replace traditional patterns, it is not without risk. Because the transfer to the hosting platform, rather than stay within themselves, the enterprise will inevitably sacrifice a lot of control of the operating environment. Especially in SaaS, you can almost only choose to upload or not upload some data, and the rest is not you can control. But you still have to take legal and regulatory responsibility for your data protection.

There are many kinds of risks in the SaaS environment, and most of them are related to the benefits it provides. As mentioned earlier, your provider understands your use of service platforms through some network analysis, and they are able to access all of your data, which can lead to unauthorized access or exposure to internal staff. The centralized nature of the

system and the single setting pattern under a multi-tenant (multi-tenanted) environment means that if a vulnerability affects a customer, it is likely that other customers will also be affected equally. Epsilon Data Leakage EventIs a recent example, and it also affects many of the Fortune 500 companies that use the same SaaS provider. Vulnerability attacks may involve a wide range of areas. Without proper design, development, and setup, common protocols and software stacks that most SaaS vendors use, such as HTTP, Xml/soap, JSON, CSS, and JavaScript, have out-of-the-box and often exploited vulnerabilities. If the service platform provides greater flexibility to allow for customized and external integration (an important selling point for SaaS vendors), the more opportunities there is for some customers to create vulnerabilities and other vendors to suffer the consequences of being attacked. This is the inevitable consequence of a multi-tenant environment.

Five key security issues ask your SaaS provider:

1-Penetration testing-how and how often do penetration tests across the environment be able to carry out independent penetration testing of some environments? Without frequent penetration tests, you won't know the full picture of the current security situation.

2-Data security-How do you encrypt data stored and transferred while using a resource-shared SaaS vendor data Center? Who can get the encryption key? Is there a division of responsibilities (separation of duties) that is responsible for separating the encryption key from the data maintenance? Does the supplier provide your SAS 70 report?

3-multi-tenant-Is there an option to provide single tenant hosting? Do you also want to make sure that the single tenant includes only the application, or does it include the data storage part?

4-disaster recovery-are there programs ready to back up and reply when a catastrophic failure, external intrusion, or data loss occurs? Where is the backed-up data stored (remind again, need to encrypt) and how to respond effectively?

5-user authentication-What is the login program for the SaaS application? Do you use multiple factor authentication? Is it possible to integrate with the authentication mechanism that the customer is using?

@ original source: 5 Security Questions for your SaaS provider

(editor: Heritage)