Seven things your Software as a Service (SaaS) provider should be doing to secure your data in the cloud
Strong security practices must be the number one priority for any cloud solution vendor you choose. Without that commitment, there’s a good chance your data will be at risk.
So how do you know if the SaaS (software as a service) provider you’re using or considering choosing has the right security protocols in place to ensure your valuable information is protected? We’ve compiled a list of the top seven security practices any vendor should be using to ensure they’re meeting their obligations to your security.
1. Penetration Testing
Penetration testing assesses how easy or difficult it is to hack into a system. This method uses what’s known in the industry as a White Hat Hacker. White Hat Hackers are ethical computer hackers or computer security experts specializing in testing methodologies to ensure the security of information systems. Their job is to make sure a malevolent hacker can’t access your data, hijack other user accounts or redirect your users to bogus sites, even if they have an actual username and password.
2. Vulnerability Testing
Sometimes confused with Penetration Testing, Vulnerability Testing is an automated process that regularly scans a server to determine if there are any loopholes in the system. It’s an in-depth evaluation that identifies weaknesses and recommends appropriate mitigation procedures.
3. Single Tenant Hosting Option
While hosting in a multi-tenant environment like the cloud is secure, you may be in an industry - such as banking - where a dedicated server is required or desired for an extra level of security. A reputable SaaS provider should be able to offer an option to have your data hosted on your own separate, dedicated server.
4. Disaster Recovery Process (DRP)
Your organization likely has its own DRP for ensuring the continuation of business and recovery of services and information following either a natural or man-made disaster. Your SaaS provider should have one as well. Ideally they should be duplicating your data every evening and storing it in an off-premise location that is well away from the location of the main data storage facility.
5. Authentication Policies
This process is what your organization uses to ensure that whomever attempts to login to your system is who they say they are. Regardless of how stringent or complex your authentication processes are, your cloud provider should be able to match those processes and provide the same level of security.
6. Back-End Management
Back-end management is a shared responsibility between the vendor and you. There are two aspects to consider:
- Security of the Cloud are the security measures that your cloud service provider implements.
- Security in the Cloud are the measures you implement to safeguard your applications and their data.
To help our own clients understand this concept better, SmartSimple created a page about Security as a Shared Responsibility.
7. Data Security
Your vendor should make sure that all data is encrypted while it is “at rest”, “in motion” and at the “end point”:
- At Rest refers to where the data is stored, meaning the server hard disk.
- At Motion refers to the transfer of data from the server to the client’s browser.
- End Point means data is properly encrypted and cannot be stored on local hard disks or copied to portable storage devices such as USB keys.
Vendor Transparency on System Security
Any reputable cloud vendor should also be completely open and honest with you about the processes they have in place to ensure your data security. For example, at SmartSimple, our security measures include:
- Weekly scans for vulnerabilities weekly through our security partner, NetCraft.
- Reputable third party testing partners scrutinize our systems on an ongoing basis to ensure no one can hack your data.
- All our hard disks are encrypted with AES 256 – the industry standard algorithm.
- Data in motion is encrypted using HTTPS (Hyper Text Transfer Protocol Secure) transfer protocols combined with TLS (Transport Layer Security) ciphers to ensure the highest security when transferring data.
- Our standing as an Amazon Web Services (AWS) Advanced Technology Partner, means our clients inherit the best practices of one of the most secure and widely used data environments.
- Our backups are stored in secondary locations at least 400 km from our main data locations for extra security in the case of natural disasters.
- SmartSimple will meet any security policies required by our clients.
If you’d like more information about how SmartSimple secures your grants management, research management or case management data, feel free to contact us by email or give us a call toll free at 1.866.239.0991.