Software-as-a-service (SaaS) is an on-demand, cloud-based software delivery model that enables organizations to subscribe to the applications they need without hosting them in house. SaaS is one of several categories of cloud subscription services, including platform-as-a-service and infrastructure-as-a-service. SaaS has become increasingly popular because it saves organizations from needing to purchase servers and other infrastructure or maintain an in-house support staff. Instead, a SaaS provider hosts and provides SaaS security and maintenance to their software. Some well-known SaaS applications include Microsoft Office 365, Salesforce.com, Cisco Webex, Box, and Adobe Creative Cloud. Most enterprise software vendors also offer cloud versions of their applications, such as Oracle Financials Cloud.
Benefits of software-as-a-service
According to Market Research Future, the global SaaS market is expected to grow 21% annually for the next few years, reaching $117 billion by the end of 2022. This growth in the popularity of software-as-a-service is due to:
- On-demand and scalable resources. Organizations can purchase additional storage, end-user licenses, and features for their applications on an as-needed basis.
- Fast implementation. Organizations can subscribe almost instantly to a SaaS application and provision employees, unlike on-premises applications that require more time.
- Easy upgrades and maintenance. The SaaS provider handles patches and updates, often without the customer being aware of it.
- No infrastructure or staff costs. Organizations avoid paying for in-house hardware and software licenses with perpetual ownership. They also do not need on-site IT staff to maintain and support the application. This enables even small organizations to use enterprise-level applications that would be costly for them to implement.
SaaS providers handle much of the security for a cloud application. The SaaS provider is responsible for securing the platform, network, applications, operating system, and physical infrastructure. However, providers are not responsible for securing customer data or user access to it. Some providers offer a bare minimum of security, while others offer a wide range of SaaS security options.
By 2022, Gartner projects that 95% of cloud security failures will be the customer's fault. To avoid security breaches, customers can implement improved security practices and technologies. Below are SaaS security practices that organizations can adopt to protect data in their SaaS applications.
- Detect rogue services and compromised accounts. The average organization uses 1,935 unique cloud services. Unfortunately, the IT departments believe they use only 30 cloud services, according to the 2019 McAfee Cloud Adoption and Risk Report. Moreover, nearly 9% of those cloud services were rated as high-risk services. Organizations can use tools, such as cloud access security brokers (CASB) to audit their networks for unauthorized cloud services and compromised accounts.
- Apply identity and access management (IAM). A role-based identity and access management solution can ensure that end users do not gain access to more resources than they require for their jobs. IAM solutions use processes and user access policies to determine what files and applications a particular user can access. An organization can apply role-based permissions to data so that end users will see only the data they're authorized to view.
- Encrypt cloud data. Data encryption protects both data at rest (in storage) and data in transit between the end user and the cloud or between cloud applications. Government regulations usually require encryption of sensitive data. Sensitive data includes financial information, healthcare data, and personally identifiable information (PII). While a SaaS vendor may provide some type of encryption, an organization can enhance data security by applying its own encryption, such as by implementing a cloud access security broker (CASB).
- Enforce data loss prevention (DLP). DLP software monitors for sensitive data within SaaS applications or outgoing transmissions of sensitive data and blocks the transmission. DLP software detects and prevents sensitive data from being downloaded to personal devices and blocks malware or hackers from attempting to access and download data.
- Monitor collaborative sharing of data. Collaboration controls can detect granular permissions on files that are shared with other users, including users outside the organization who access the file through a web link. Employees may inadvertently or intentionally share confidential documents through email, team spaces, and cloud storage sites such as Dropbox.
- Check provider's security. The Cloud Adoption and Risk Report surveyed respondents on their trust of cloud providers' security. It found that nearly 70% of them trust their providers to secure their data. However, only 8% of cloud services actually meet the data security requirements defined in the CloudTrust Program. Only 1 in 10 providers encrypt data at rest, and just 18% support multifactor authentication. Clearly, not all of that customer trust is deserved. An audit of a SaaS provider can include checks on its compliance with data security and privacy regulations, data encryption policies, employee security practices, cybersecurity protection, and data segregation policies.
SaaS security solutions
Several types of security solutions can help organizations improve SaaS security. The solutions can be implemented separately or together as part of a CASB.
- Data loss prevention (DLP) ) safeguards intellectual property and protects sensitive data in cloud applications, as well as at endpoints such as laptops. Organizations can define data access policies that DLP enforces.
- Compliance solutions provide controls and reporting capabilities to ensure compliance with government and industry regulations.
- Advanced malware prevention includes technologies such as behavioral analytics and real-time threat intelligence that can help detect and block zero-day attacks and malicious files that may be spread through cloud email and file sharing applications.
- Cloud access security brokers (CASBs) protect enterprise data and users across all cloud services, including SaaS, PaaS, and IaaS. According to Gartner's Magic Quadrant for Cloud Access Security Brokers, CASBs detect threats and provide IT departments with greater visibility into data usage and user behavior for cloud services, end users, and devices. CASBs also act immediately to remediate security threats by eliminating security misconfigurations and correcting high-risk user activities applications. CASBs provide a variety of security services, including:
- Monitoring for unauthorized cloud services
- Enforcing data security policies including encryption
- Collecting details about users who access data in cloud services from any device or location
- Restricting access to cloud services based on the user, device, and application
- Providing compliance reporting
CASB solutions, which are typically SaaS applications, may provide additional capabilities. These may include:
- File encryption
- Pre-built policy templates to guide IT staff through the process of policy creation
- User entity behavior analytics (UEBA) backed by machine learning
- In-application coaching to help end users learn improved security practices
- Security configuration audits to suggest changes to security settings based on best practices
IT departments can learn to protect their cloud applications and data by following cloud security best practices and implementing effective SaaS security solutions. Cloud security solutions from McAfee enable organizations to accelerate their business growth by giving them visibility and control over their applications, devices, and data. Learn more about McAfee cloud security technology.
SaaS security resources