SaaS Security

Potential Risks and Threats

  • Access risk
    • SaaS apps are always on that is why anyone can reach them on internet
    • Credential stuffing & password spraying are common attacks
  • Misconfiguration risk
    • Too many administrators
    • Lack of visibility into SaaS security settings and changes
  • Shadow SaaS
    • deployed application in the same cloud account as the main SaaS application
    • the deployed service was done without the security approval

Evaluation of SaaS Security (SANDPIT)

  • S - Scalability and Resiliency
    • Provider's ability to scale and recover from failure
  • A - Access Control
    • Who has access to the app?
    • Authentication and Authorization
  • N - Network and Boundary Controls
    • North-South traffic
      • ingress and egress controls
      • control traffic in and out of the network
    • East-West traffic
      • segmentation
      • Understanding how data isolated or commingled
  • D - Data Protection
    • Encryption
    • Managed certificates and keys
    • Use unique keys for each instance
  • P - Privacy
    • The infrastructure should be compliant with any laws are important for your business
  • I - Incident Response
    • When something is happened, the monitoring tools should be able to detect it and show to customers when and what happened
  • T - Third-Party Attestation
    • Annual assessment and report of cloud service provider
    • Conducted by an external auditor (e.g. SOC2)
Last modified 6mo ago