People often think that everything they do ‘in the cloud’ is protected by that cloud service provider. It’s easy to assume that therefore your information is safe. This isn’t always the case—it depends on what you’ve paid for, and how you’ve set up your cloud services.
Probably, your activity in the cloud is through using applications such as email, Slack, Dropbox, Salesforce or O365. These are, collectively, known as Software as a Service (SaaS).
SaaS applications are easy to set up, and usually offer a free trial. You pay a regular subscription, usually based on the number of people you have accessing that service. The provider allows you to use their application for as long as you continue to pay for access.
That provider is responsible for the security of the application. You are responsible for configuring the applications securely, for secure user access, for the security of the devices they are using to access the application, and for securing your data.
Potential SaaS risks include unauthorised access to your data, resulting in the loss of sensitive information (about your business or about your customers) and reputation damage. This could be caused by, for example:
- hackers obtaining login credentials
- employees accidentally (or deliberately) compromising security and stealing or leaking information
- insecure software components enabling attackers to gain access.
Security and SaaS
If using any SaaS products—and you almost certainly are—you do need to think about security. Before signing up, take a look at the NCSC guidance. Perhaps sign up for any trial period offered by your SaaS provider, and take a good look at the security options while exploring the application. And do read, and apply, the setup and security information that your SaaS provider shares. If you are already using the service, and haven’t thought about security yet, read that security information now.
Things to consider include:
- Only those people who need access to an application should have it.
- Check that you have procedures in place to remove (or add) people as they leave (or join) your organisation, or as they change roles within your organisation.
- Access to the SaaS applications is online, and attempted logins could be anyone from anywhere. This means you should be confident that someone accessing the application is who they claim to be.
- Multi-factor authentication supports this aim, as does the requirement for strong passwords. Make sure that you and your staff have enabled MFA wherever possible, and review your password policy.
- What people can do within the application should be controlled.
- You should minimise the number of admin users, as they typically have wide-ranging permissions within an application.
- And some applications allow you to set different roles for users, so that people in those roles have access to different functions. Not everyone needs to be able to view or edit all the information you are storing, so limit access to only what each individual needs.
You’ll also need to think about the security of the devices your people are using to access the applications—their laptops and mobiles, for instance—and the security of your data. For example, do you have a current backup of the data you are storing in the cloud? Do you know where that data is stored (and does that matter)? Does your provider encrypt that data?
Note that this short list of considerations is for SaaS services. If you are developing, running or managing your own applications (and are paying for use of a platform) or are paying to use infrastructure (servers, storage and network capabilities) then you will have more security responsibilities.
Want more information and help on this? Call on 0113 733 6230.
