Best practices for SaaS application security
The biggest concern when considering a SaaS application is data security. Is your data secure? Who has access to your data? What if the data center gets hit by a natural disaster or fire?
The SaaS provider is an organization with their own structure and processes to which the user outsources the processing of their data and accordingly data security. This poses a potential security risk. However, as monitoring the security is the full-time job of a cloud host, it can be done more efficiently and better than by a team that is busy with all IT concerns for the whole organization and security makes up only a small part. Besides, the risk of internal data theft also needs to be considered and is much higher than one would think.
Overall, using a SaaS application can be more secure than on-premises software if your IT team does not have the capacity and knowledge and if you choose a SaaS provider with the right data security policy and respective processes and measures.
Check that the SaaS provider has implemented the following best practices for SaaS application security. Thereby, you can distinguish between security of the cloud hosting and the security of the application itself which is also linked to the user.
Cloud hosting security
Hosting locations and regulations
Make sure you know where your data is stored and which regulations and data privacy measures apply. Is it e.g. in the EU, does the provider adhere to GDPR?
The majority of the software providers and sub-processors are based either in the EU or in the US. Regarding the legal basis for data processing, get yourself familiar with European versus US data regulations to know which legislation you want your provider to adhere to.
Overall, in Europe, data has long been about fundamental human rights to privacy and protection whereas the US doesn’t apply the same ‘citizen first’ approach to data handling and protection. The EU introduced GDPR as an overarching legislation to make data privacy a clear priority. The US is still trying to find a top-down solution for all federal states.
Read more details here about the difference between the US and EU data privacy approach.
Cryptage des données
Make sure the cloud provider you choose is using strong encryption for data at rest, in use and in transit. It will protect the data from being accessed by the wrong party at any point in time.
Backups
In order to guarantee that data cannot get lost, continuous and backups in separate locations should be provided. Then, in the event of an accident, data can quickly and easily be recovered.
Audits
Make sure the provider is audited regularly. A third party thereby validates compliance requirements and makes sure security systems and procedures protect users’ data security.
Protection of physical hardware
The provider should protect its physical hardware to make it difficult for hackers to steal data. Tier IV data centers e.g. have measures in place to protect the physical system that runs the cloud. These include armed security patrols, biometrically controlled access checkpoints, 24/7 CCTV monitoring.
External Firewall
A top of the range external firewall is able to check the type of file, content, source, destination and integrity of file packets to then approve or reject them. You would want the cloud provider to have a strong external firewall to block threats.
Internal firewall
There is a risk of not only external but also internal attacks. A cloud provider thus needs internal firewalls to restrict access to critical data, e.g. if an employee user account gets compromised. An internal firewall should keep applications and databases separate and would then limit the damage of an internal attack.
Compliance
Some cloud providers provide all necessary infrastructure and processes to comply with certifications like PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171 etc. Be sure about your own requirements and then check what the cloud provider offers.
Intrusion Detection Systems (IDS)
IDS event logging is a requirement for organizations that want to comply with standards for example like PCI or HIPAA. IDS track and record intrusion attempts.
SaaS application security
Identity and access management (IAM)
It is crucial to only give access to data to the right users. Cloud identity and access management systems provide consistent access control across all cloud services.
Check if the SaaS provider offers IAM to initiate, capture, record, and manage user identities and their access rights. It will facilitate the compliance of processes and keep your data secure.
Thereby, some providers support integration with identity providers that the user can manage. You should also give preference to a provider that gives you the option of single sign-on and add an extra security layer with multifactor authentication.
Security monitoring
Have someone dedicated monitoring the SaaS use and examine the data and logs provided by the SaaS provider. IT and security executives have to treat SaaS offerings like any other enterprise application.
You could make use of SaaS security posture management (SSPM) that tracks and compares the stated security policy versus actual security status and consequently will let you find and fix security risks.
OpenProject - secure cloud project management software
La protection des données et la sécurité de l’information sont d’une importance capitale pour OpenProject et sont l’une des principales raisons du développement de ce logiciel Open Source.
GDPR compliance
Nous voulons prendre soin du caractère privé, de l’intégrité et de la confidentialité de vos données, ainsi que de la sécurité de notre infrastructure. En tant que société européenne basée à Berlin, OpenProject respecte les réglementations européennes et nationales en matière de protection des données. We process your data strictly confidentially and only for the purpose we informed you about when collecting the data.
Secure hosting location
The OpenProject Enterprise cloud edition is hosted in the EU and on request in Germany.
Technical and organizational security measures
Nous mettons en œuvre des mesures de sécurité techniques et organisationnelles afin de protéger vos données personnelles contre toute manipulation accidentelle ou volontaire, perte, destruction ou accès non autorisé.
Fonctionnalités de sécurité supplémentaires
Additional security features make OpenProject the cloud project management software of choice. OpenProject propose une une authentification à deux facteurs. Cela sert à empêcher quiconque d’accéder ou d’utiliser votre compte, même s’il connaît votre mot de passe. With LDAP sync a worker checks users against the organization’s LDAP. This means that the user will not be able to login to OpenProject anymore if he is not on the system anymore. Avec une synchronisation de groupe, le processus s’exécutera toutes les heures pour mettre automatiquement à jour les adhésions aux groupes en fonction des membres du groupe LDAP.
Data backups
Additional security is also provided by OpenProject’s regular and secure backups to make sure you won’t lose data. Base de données : des sauvegardes automatisées sont effectuées et conservées pendant 30 jours pour permettre la restauration des données à un moment précis au cours de cette période. Les instantanés et les journaux de transactions sont stockés en toute sécurité dans S3. Pièces jointes : les pièces jointes sont également stockées en toute sécurité dans S3. Le stockage S3 est chiffré et répliqué sur plusieurs zones de disponibilité au sein de la même région.
Open source
Un avantage considérable de l’application OpenProject en tant que logiciel Open Source est la grande liberté que la licence accorde aux utilisateurs et aux développeurs. An open source software can provide higher security as the code is available and can be reviewed by the community to identify and fix potential security gaps quickly.
This is not everything OpenProject does to protect the data of its cloud project management software users. Read more in detail about how OpenProject takes care of users’ data and how we prioritize data privacy and security.