The video above talks about the security and safety that a cloud solution can provide. Mr. Sunil Uttam, co-founder, Mithi Software Technologies elaborates on the 6 layers that make up any reliable cloud security infrastructure.
Hello, good afternoon friends. I am Sunil Uttam, co-founder & principal solution architect at Mithi. My primary responsibility is to help our customers build future-proof architectures on data management, collaborations, security. So welcome to this next episode of SaaS in practice. Here we will be covering what are the various elements to secure a SaaS solution on the cloud and you could use this as a reference while you’re evaluating, purchasing or, you know, looking at your own consumption of SaaS solutions. So let’s get started and let’s see what are the various elements to consider while securing a SaaS solution.
IaaS Cloud Platform
So this is the first layer of any SaaS cloud solution. That’s the cloud platform itself, or the infrastructure platform. So, most of the SaaS cloud solutions obviously would be using infrastructure as a service kind of a platform, something like AWS, Google cloud, Azure, and what happens when the vendor of a SaaS solution uses such a platform is that the vendor and you are ensured that the platform itself is secured at multiple layers and it undergoes stringent processes and tests to comply with norms.
For example, it could comply with SOC, it could comply with norms related to physical security. Typically all these platforms are ISO certified as well. So by taking a platform from a cloud player which is an IaaS, we are actually starting out very strong. So the SaaS solution built on such a platform would typically be well-secured at the base.
Hardened, access controlled cloud services & resources
Now most cloud solutions offer you a shared security model, where they will secure the infra, but they would expect you to secure your infra. So what does my infra or the vendors infra is compute, storage, databases and the various other services which we, as vendors, would consume from the IaaS platform play.
We have to ensure that they are hardened, their access control is well-maintained and backups are taken, VPCs are established. So at this layer, it is our job or the vendors job to ensure that all the resources which are deployed for the SaaS solution are secured. Once that is done, the most crucial piece comes into play which is the data.
Now here is where the rubber hits the road and its up to the vendor of the SaaS solution to ensure that your data, the customers data, which is being placed in their custody, is well-secured. We feel that at least there should be three very critical things to configure.
One is encrypted at rest which means data which is stored in the SaaS solution, is stored in an encrypted form. It’s almost basic hygiene and this ensures that no staff member of the vendor and anybody hacks into the storage, they will not be able to make anything out of it. So this encrypted at rest is a very critical and basic requirement.
Second thing is, many SaaS vendors store data over the long term. So you might consume a SaaS service over many years. You would accumulate a huge amount of data there. What a lot of SaaS vendors do is they tier the data, which means that the data is moved into multiple different storages, different access points, and though it becomes as much more difficult to hack into or break into.
Third most important thing is most SaaS cloud solutions are multi-tenant which means the same infra serves multiple customers, multiple users. And so it is very important that there is a virtual partitioning of the data. This is typically done by the unique customer id which is assigned to each data point or each data piece.
Protocols, Web services, API
Once a data is secured, we’re talking about access, how can you access the services? Typically it is through protocols, web services, APIs. These are your entry and exit points of the data and functions and the operations, so these need to be secured by authentication. It could be multi-factor, or normal with lot of password controls, password history, password complexity and many more such controls, include biometrics as well.
Authorization which means that which user and which administrator can access which parts of the data, which parts of the service which they cannot. From where they can access that is access control, trusted IPs, trusted devices and whenever they do any action is there an audit trail be maintained which can be reviewed at any point in time.
And the last but not the least, since now here is where the rubber hits the road again, in terms of access, is the service protected for DDOS? Because as a SaaS service becomes more popular or as your domain becomes more popular, they are bound to get attacked.
Now built on all these API protocols and web services are the applications which your users would really be consuming. It could be portal, it could be e-discovery, it could be mobile applications. So here again, authentication in terms of log in, the roles which the users are allowed and what they can do in those roles and various are the functions which are very specific to the application it would be played here.
And the last piece here is of course the network because that is where everything happens from your end point to the cloud. So the key thing here is all the information which is moving and all the operations which are happening should be encrypted at transit.
Right. So the layers which I just showed you on the deck are typically how any enterprise business solution should be secured. But what happens on the cloud is and on a SaaS is the vendor who is providing you the SaaS will typically cover all this for you and it’s not much of a challenge for you to do, you have to just consume. So use this as a reference while you’re evaluating SaaS solutions for your business needs and hope this was useful to you. If you like the video, we would really like you to like it. We would love to listen to you in terms of comments and we will see you on the other one.