TVMES experts continues to strive by working together with industry experts to identify simplified solutions to the problems faced by VMO leaders. It is our pleasure to present you a robust and logical solution which will help you choose the right VMO platform of your choice.
VMO Platform Decision Matrix - SaaS Security
TVMES has identified 5 primary criteria VMO leaders need to utilize when considering selection of a VMO platform. The following is the Fourth Criteria of the five we will cover in this series. You will find links to the previous articles at the end.
5 Layers of Security: This is an important uncompromisable mandated requirement for VMO platform decision making. Please evaluate the platform’s capability on the 5 layers of security considering/adapting the Principle of least privilege (PoLP). PoLP - The principle of least privilege (PoLP), an important principle in Computer / Software / Hardware security, is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work.
- Cloud Security - This is given for any SaaS solution
- Secure Integration - SSO/ LDAP or OpenID Authentication
- Application - Module level Permissions
- Database - This will play a vital role if your SaaS solution is on a multi-tenant architecture.
- User Level Security – Delegation, Deactivation & Role based access
1. Cloud Security
- Your SaaS solution / infrastructure should have built-in controls to manage user access and data in a secure way.
- Data and application controls help to keep your data secure through the following mechanisms.
- Data encryption is a mechanism all SaaS systems should have. Data should be encrypted, both when at rest and during transit.
- Data loss prevention (DLP) mechanisms and policies should also be employed. DLP detection feature can look for certain keywords and phrases in transmitted text to determine if your corporation's sensitive data is being leaked to an unauthorized party or entity.
- Never assume that just because your application runs through the cloud that you don't need to have your own backups.
- Identity and access management is just as important in your SaaS environment as it is in any of your other traditional applications hosted on your on-premises and corporate networks.
- Make sure that each employee, user, or authorized contractor who is allowed to use your SaaS application has authentication credentials that are unique to them.
- Where passwords are used, a password policy is just as important for SaaS as it is for everything else. Not only should complexity be enforced, but also passwords should be changed at least once every three months.
- Where possible, there should also be an extra authentication vector, commonly referred to as two-factor authentication (2FA) or multi-factor authentication (MFA).
- Access controls are also important. Depending on the nature of your SaaS application, access rights can be determined by the user's role and network location.
- Implement logging and monitoring controls. Not only should you log authentication and access events, and DLP-related events, you should also log various other metrics related to SaaS use.
Be mindful of these issues (bulleted below), and make sure that you have mechanisms, applications, policies, and procedures to address them.
- Malicious code injection via SQL, LDAP, and operating systems
- Insecure authentication and session management
- Data integrity vulnerabilities that enable cross-site scripting
- Exposing references like files and directories insecurely
- Cross-site request forgery
- Poor database, operating system, and middleware configuration
- Exposing sensitive data, such as authentication credentials, and personal information
- Using components with known vulnerabilities
- Access checks on the server side or inside business logic
- Un-validated redirects and forwards
LINKS TO PREVIOUS ARTICLES IN THE SERIES: