Best practices for SaaS application security

Best practices for SaaS application security

Estimated reading time: 7 minutes

The biggest concern when considering a SaaS application is data security. Is your data secure? Who has access to your data? What if the data center gets hit by a natural disaster or fire?

The SaaS provider is an organization with their own structure and processes to which the user outsources the processing of their data and accordingly data security. This poses a potential security risk. However, as monitoring the security is the full-time job of a cloud host, it can be done more efficiently and better than by a team that is busy with all IT concerns for the whole organization and security makes up only a small part. Besides, the risk of internal data theft also needs to be considered and is much higher than one would think.

Overall, using a SaaS application can be more secure than on-premises software if your IT team does not have the capacity and knowledge and if you choose a SaaS provider with the right data security policy and respective processes and measures.

Check that the SaaS provider has implemented the following best practices for SaaS application security. Thereby, you can distinguish between security of the cloud hosting and the security of the application itself which is also linked to the user.

Cloud hosting security

Hosting locations and regulations

Make sure you know where your data is stored and which regulations and data privacy measures apply. Is it e.g. in the EU, does the provider adhere to GDPR?

The majority of the software providers and sub-processors are based either in the EU or in the US. Regarding the legal basis for data processing, get yourself familiar with European versus US data regulations to know which legislation you want your provider to adhere to.

Overall, in Europe, data has long been about fundamental human rights to privacy and protection whereas the US doesn’t apply the same ‘citizen first’ approach to data handling and protection. The EU introduced GDPR as an overarching legislation to make data privacy a clear priority. The US is still trying to find a top-down solution for all federal states.

Read more details here about the difference between the US and EU data privacy approach.

Data encryption

Make sure the cloud provider you choose is using strong encryption for data at rest, in use and in transit. It will protect the data from being accessed by the wrong party at any point in time.

Backups

In order to guarantee that data cannot get lost, continuous and backups in separate locations should be provided. Then, in the event of an accident, data can quickly and easily be recovered.

Audits

Make sure the provider is audited regularly. A third party thereby validates compliance requirements and makes sure security systems and procedures protect users’ data security.

Protection of physical hardware

The provider should protect its physical hardware to make it difficult for hackers to steal data. Tier IV data centers e.g. have measures in place to protect the physical system that runs the cloud. These include armed security patrols, biometrically controlled access checkpoints, 24/7 CCTV monitoring.

External Firewall

A top of the range external firewall is able to check the type of file, content, source, destination and integrity of file packets to then approve or reject them. You would want the cloud provider to have a strong external firewall to block threats.

Internal firewall

There is a risk of not only external but also internal attacks. A cloud provider thus needs internal firewalls to restrict access to critical data, e.g. if an employee user account gets compromised. An internal firewall should keep applications and databases separate and would then limit the damage of an internal attack.

Compliance

Some cloud providers provide all necessary infrastructure and processes to comply with certifications like PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171 etc. Be sure about your own requirements and then check what the cloud provider offers.

Intrusion Detection Systems (IDS)

IDS event logging is a requirement for organizations that want to comply with standards for example like PCI or HIPAA. IDS track and record intrusion attempts.

SaaS application security

Identity and access management (IAM)

It is crucial to only give access to data to the right users. Cloud identity and access management systems provide consistent access control across all cloud services.

Check if the SaaS provider offers IAM to initiate, capture, record, and manage user identities and their access rights. It will facilitate the compliance of processes and keep your data secure.

Thereby, some providers support integration with identity providers that the user can manage. You should also give preference to a provider that gives you the option of single sign-on and add an extra security layer with multifactor authentication.

Security monitoring

Have someone dedicated monitoring the SaaS use and examine the data and logs provided by the SaaS provider. IT and security executives have to treat SaaS offerings like any other enterprise application.

You could make use of SaaS security posture management (SSPM) that tracks and compares the stated security policy versus actual security status and consequently will let you find and fix security risks.

OpenProject - secure cloud project management software

Data protection and information security are of central importance to OpenProject and are one of the main motives for the development of this open source software.

GDPR compliance

We want to take care of the privacy, integrity and confidentiality of your data, as well as the security of our infrastructure. As a European company based in Berlin, OpenProject complies with European and national data protection regulations. We process your data strictly confidentially and only for the purpose we informed you about when collecting the data.

Secure hosting location

The OpenProject Enterprise cloud edition is hosted in the EU and on request in Germany.

Technical and organizational security measures

We implement technical and organizational security measures to protect your personal data from accidental or willful manipulation, loss, destruction or unauthorized access.

Additional security features

Additional security features make OpenProject the cloud project management software of choice. OpenProject offers two-factor-authentication. This serves to prevent anyone from accessing or using your account, even if they know your password. With LDAP sync a worker checks users against the organization’s LDAP. This means that the user will not be able to login to OpenProject anymore if he is not on the system anymore. With a group sync, the process will run every hour to automatically update group memberships based on LDAP group members.

Data backups

Additional security is also provided by OpenProject’s regular and secure backups to make sure you won’t lose data. Database: Automated backups are performed, retained for 30 days to allow for point-in-time data restoration within that time frame. Both snapshots and transaction logs are securely stored in S3. Attachments: Attachments are stored securely in S3 as well. The S3 storage is encrypted and replicated across multiple availability zones within the same region.

Open source

A considerable advantage of the OpenProject application as open source software is the great freedom that the open source license grants to users and developers. An open source software can provide higher security as the code is available and can be reviewed by the community to identify and fix potential security gaps quickly.

This is not everything OpenProject does to protect the data of its cloud project management software users. Read more in detail about how OpenProject takes care of users’ data and how we prioritize data privacy and security.