Security concerns with a SAAS system

SAAS – Software as a Service can be defined as "Software deployed as a hosted service and accessed over the Internet rather than a product deployed at the customer’s premises for each customer."

Today, SAAS applications are expected to take advantage of the benefits of centralization through a single-instance, multi-tenant architecture, and to provide a feature-rich experience competitive with comparable on-premise applications.

Software as a Service (SAAS) is transforming the way traditional ISVs do business as providers of applications to the market. This new deployment and licensing model will fundamentally change the business model of the ISV, impacting many parts of the organisation – marketing, the sales force, presales engineering, deployment, support, finance, and product engineering and maintenance.

But all sounds good for the ISVs run this Business model. The main point here is to get a customer convinced to go for a subscription based software rather than on-premise software.

Customers surely see lots of business advantages by using a SAAS based product over an on-premise product. The reasoning no longer is a business decision. It is more a technical decision. The key technical factor that influences the customer to take a decision whether to go on-demand subscription-based or to buy an on-premise software is – Security.

Since the data is multi-tenanted in a SAAS environment, the fundamental question that comes to the customers mind is – How secure is my data (since it is not in front of me)? What is the guarantee that other customers of the same service do not have access to my data?

The customer should ideally be asking the SAAS providers the following questions to be convinced. It is not necessary that all the question is expected to have a positive answer for the customer to take a decision. It also depends upon what type of business application is being offered as SAAS. But “knowing” the answers is a “must” before taking a decision of going the on-demand route or on-premise route.

Here’s a list of questions I think should be asked by any customer to a SAAS vendor before subscribing to their service. The same set of questions can also be used as a check list by a SAAS vendor.

Data Access Related Questions

• Is the Database Multi-tenanted?
• How many people in the entire chain have the Database SA password?
• Is the data for one customer securely away from another customer?
• Do the Data-Centre engineers have access to the database through SA?
• Can anyone in the entire chain in a position to access / copy / change / destroy critical data of any customer?
• In a system where 3rd Party integration is involved, is the Data communication secured and restricted to only the required exchange of information?
• What information is stored in the Audit log?
• What arrangements are made for Database backup?
• What types of data are encrypted and what is the encryption mechanism used to ensure it is safe?

Infrastructure Related Questions

• What SLA do you the SAAS provider have with their Data Centre?
• What is the hardware redundancy arrangements made by the vendor?
• Does the data centre have WAN backup? i.e. The data centre is replicated in 2 different continents as a backup?
• If yes, Ask all the Data Access Related Questions again with reference to this second Data centre
• How many people from the SAAS vendor organisation have the network administrator password within the data centre?
• How many people have the Shut-Down permission on the Server?
• How often are the servers need to be restarted?
• Does the SAAS vendor align with the Data Centre's SLA within their own SLA?

Internet based Security Threats

• Is the Site hosting the SAAS system SSL enabled?
• Is the Database server on the internet or behind a DMZ?
• If, Yes it is exposed to the internet, then Why?
• How is the system protected from SQL injection?
• (If in case the hacker gets access to Database) Are the critical data encrypted?
• Does the Application User security tightly aligned to the data security?
• Last but not the least, Does the SAAS vendor / provider get their system audited by Security Auditing authorities?

Typically all these (or most of them) are covered in the SLA provided by the SAAS vendor but this is something to my mind is a must for any customer to be aware of before signing as a customer for a SAAS offering.