Website Security for SaaS and Cloud Ecommerce Applications: A Technical Deep Dive, Comparison & Checklist
Website Security for SaaS and Cloud Ecommerce Applications: A Technical Deep Dive, Comparison & Checklist
Get The Print Version
Tired of scrolling? Download a PDF version of our website security article for easier offline reading and sharing with coworkers.
Software as a Service (SaaS) is a software licensing and delivery model where users access applications or services via a subscription.
The applications are remotely hosted by the service provider and can be accessed on demand by customers over the internet or private networks.
Many enterprises and businesses of all sizes take advantage of this subscription-based model in order to reduce IT costs which are often associated with traditional on-premise applications.
These overhead costs may include hardware, upgrades and patch management, which must all be purchased up-front for those who do not go for a SaaS deployment model. This on-demand licensing model is also beneficial as it allows customers to increase their services only as they grow.
SaaS has been steadily growing over the past decade as many businesses adopt this new model of purchasing IT.
Apart from the set-up costs, many managers also favor SaaS solutions as they have full support from the service providers.
They no longer have to worry about providing extensive training to employees and the SaaS apps often connect easily with other third-party apps through well-maintained APIs.
Besides the long list of benefits, ecommerce security is still one main concern which is holding some enterprises back from adopting SaaS.
In this deep dive, we’ll cover these major security concerns, why they matter, best practices and key solutions to ensure that your ecommerce site and customer data are secure.
The Growth of SaaS and Cloud-based Applications
The rapid adoption of cloud computing technology in the form of rendered ‘cloud services’ makes it one of the hottest topics on the minds of IT and ecommerce leaders today.
Cloud computing services are often referred to as a ‘game-changer’ amongst industry pundits, largely due to the opportunity the technology offers in organization-wide collaboration, enterprise-class scalability, and device agnostic availability while providing exceptional cost reduction advantages through optimized and efficient computing.
It is important to distinguish the three cloud computing classifications often referred to as the ‘SPI model’ where SPI refers to
- Software as a Service (SaaS): offers users access to application software and databases.
- Platform as a Service (PaaS): offers, beyond computing infrastructure, a development environment for application developers (e.g., operating systems, programming language execution environment, databases, etc.).
- Infrastructure as a Service (IaaS): offers basic computing infrastructure (e.g., physical and virtual machines, location, network, backup, etc.).
Here’s additional in-depth information on the differences between IaaS vs PaaS vs SaaS.
All of the above SPI cloud service models can be deployed on one of the following four infrastructure deployment models:
- Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
- Private cloud: the cloud infrastructure is operated solely for a single organization. It may be managed by the organization itself or by a third party and may be located on-premises or off-premises.
- Hybrid cloud: the cloud infrastructure is a combination of two or more clouds (private, community or public).
1. Adoption Rates.
According to Gartner, the worldwide public cloud services market is projected to grow by 17.3% in 2019 to total $206.2 billion, up from $175.8 billion in 2018.
The growth projections are unevenly spread across SaaS, PaaS, and IaaS.
Software as a service (SaaS) remains the largest segment of the cloud market, with revenues expected to hit $85.1 billion in 2019 which will come to an annual growth of 17.8%.
Infrastructure as a Service (IaaS) is expected to be the fastest-growing cloud services segment with forecasted growth of 27.6% in 2019 to reach $39.5 billion, up from $31 billion in 2018. Amazon is the leading vendor in the IaaS market, followed by Microsoft, Alibaba, Google, and IBM.
2. Adoption Rates by Vertical.
As earlier mentioned in this report, cloud services adoption rates are rapidly growing – but what segments and verticals are growing the fastest?
Many organizations tend to start out with apps that could be easily migrated over to the cloud, and then transition their larger strategic systems such as their ecommerce platform, ERP and supply chain applications. These projects, tend to be integrated into their digital transformation plans.
A survey conducted by The Economist Intelligence Unit revealed the varying rate of cloud adoption across industries.
The first movers to the cloud appear to be digital “pure play” solutions that stand side-by-side with the legacy industry solutions, such as:
- Digital banking sprouting out of in-person branch banking.
- Ecommerce stores competing with brick-and-mortar retailers and shopping centers.
Manufacturing, as we shall see, presents a more complex problem as it involves the integration of the cloud into physical structures such as factories, machines, and assembly lines.
Finally, as discussed in our review of these industries, adoption in Education and Healthcare is slowed by regulatory constraints and less intensely competitive environments. Nevertheless, we see that as far as the cloud has come, it still has a long way to go. “Pervasive presence”—ready access and widespread deployment—averages out to only 7% across industries.
3. Myth: Is the cloud really less secure than on-premise?
As industry trends show the ever-growing popularity and adoption of cloud technology, some organizations still seem hesitant to take the leap.
A Deloitte survey on cloud adoption showed that among a group of CIOs that have yet to implement cloud computing in their organizations, their main objections were:
- Risk of losing control and governance of data.
- Legal issues and open compliance.
- Risk of their data being exposed.
- Inadequate data security.
From the sub-group of CIOs yet to have adopted cloud technology, 78% of them, revealed that the major reason for non-adoption was their uncertainty in ecommerce security.
The ‘cloud security’ myth as this whitepaper will debunk, is that if an organization stores their data in a third-party data center, they put themselves and their customers at risk of a data breach that will not only damage their organization’s reputation but also have significant financial implications in the form loss of business and ultimately lead to penalties or fines.
Yet as we are well aware, events, such as hacks, always make it to the media faster than examples of when things work well. And cloud computing is no exception. Therefore organizations must take into consideration many factors when selecting a suitable SaaS partner for their business.
All of the sections that follow in this whitepaper will put the ‘cloud security’ myth to rest by thoroughly explaining the robust security layers of SaaS and Cloud-based applications as well as the rigorous fraud prevention, information security standards and compliance frameworks adopted by best-in-class Cloud service providers.
Security Layers in Enterprise SaaS and Cloud-based Applications
Cloud-based applications can be primarily categorized into two key layers:
- Layer 0, the IaaS (Infrastructure as a service) and PaaS (Platform as a service) cloud where everything else runs; typically, Amazon Web Services, Microsoft Azure, Google Cloud Platform, IBM Cloud, or Alibaba.
- Layer 1, SaaS and cloud-delivered applications that typically run on Layer 0 IaaS infrastructure.
Each layer has a set of both overlapping and distinct security considerations and standards.
Let’s dive into the thorough set of security standards and compliance frameworks that cater for both Layer 0 and Layer 1 cloud-based solutions as well as effective remedies for redundancy, and ways of ensuring high availability and uptime.
1. Layer 0 IaaS Cloud Security.
The central security principle in all IaaS cloud rendered solutions is the concept of ‘shared responsibility’, which means two things:
- IaaS providers are responsible for the security of the cloud (e.g. global infrastructure, storage, databases, networking, computer).
- Customers are responsible for security in the cloud (e.g. data, platforms, applications, operating systems, firewalls).
Here is a quick IaaS Cloud security checklist.
- Apply the IaaS provider’s best practice security configurations at set up. AWS, for instance, has an AWS Security Best Practices Whitepaper, the same applies to Microsoft Azure or Google Cloud.
- Continuously monitor your infrastructure and set up alerts when changes or new security vulnerabilities are detected.
- Ensure you use industry accepted encryption standards and that you protect the encryption keys with adequate key storage controls.
- Also, encrypt network connections throughout the cloud infrastructure.
- Use deep packet inspection (DPI) or intrusion detection and prevention solutions (IDS/IPS) to help detect network anomalies and attacks.
- Conduct specialized staff training on information security.
2. Layer 1 SaaS Cloud Security.
The following is a summary list of enterprise-grade security considerations when deploying a SaaS application for your organization:
- Data security should involve the use of strong encryption techniques and fine-grained authorization to control access to data.
Achieve regulatory compliance, with the most important being:
Physical and Perimeter Security Audit of Data Centers: SSAE 16 (Statement on Standards for Attestation Engagements no.16 (SSAE 16) or it’s equivalent, International Standard on Assurance Engagements (ISAE) 3402.
SSAE 16 comprises of two reports:
- A SOC 1 report that provides an independent snapshot of the organization’s control landscape on a given day.
- A SOC 2 report provides a historical trail of an organization’s controls over time (typically the last 6 months).
- Data access, data storage, and data processing should be governed and controlled under regulations such as ISO-27001, Sarbanes-Oxley Act [SOX], Gramm-Leach-Bliley Act [GLBA], Health Insurance Portability and Accountability Act [HIPAA].
- For ecommerce or payment processing applications, compliance industry standards like Payment Card Industry Data Security Standard [PCI-DSS] is mandatory (PCI Compliance is covered in my detail later in this report).
- Physical and Perimeter Security Audit of Data Centers: SSAE 16 (Statement on Standards for Attestation Engagements no.16 (SSAE 16) or it’s equivalent, International Standard on Assurance Engagements (ISAE) 3402.
- Understand the deployment model of your SaaS vendors (i.e. if they will be using a public cloud vendor or hosting themselves).
- Availability: around the clock availability of service involves architectural changes at the application and infrastructure levels that add scalability and high availability. A load-balanced farm of application instances, running on a variable number of servers will provide resilience to denial of service attacks as well as hardware and/or software failures.
- Business continuity [BC] and disaster recovery [DR]: what is the cloud-service provider’s strategy for recognizing threats and risks facing its infrastructure, and how will its employees and assets be protected in the event of a disaster? Their BC and DR plans will define potential risks; outline how the risks will affect their operations; and, make provisions for safeguards and procedures to mitigate the risks.
- Backups: enterprise data essentially needs to be regularly backed up to facilitate quick recovery in any event of a disaster. Strong encryption schemes need to be applied to all backup data.
Identity Manager (IdM) and Sign-On Process: Your SaaS vendor will support identity management and sign on services using any of the following models.
- Independent IdM stack: The SaaS vendor provides complete identity management and sign on services stack. All information related to user accounts, passwords, etc. will be completely maintained by the SaaS vendor.
- Credential Synchronization: The SaaS vendor supports replication of user account information and credentials between enterprise and SaaS application. User authentication is carried out by the SaaS vendor end using replicated credentials.
- Federated IdM: The user authentication is stored and occurs within the enterprise boundary. Users’ identities and user attributes are propagated on-demand to the SaaS vendor using federation to allow sign-on and access control.
Now that you have an understanding of ecommerce security considerations to factor in when deploying IaaS or SaaS solutions, we want to cover the most important security pillars in further detail.
Want more insights like this?
We’re on a mission to provide businesses like yours marketing and sales tips, tricks and industry leading knowledge to build the next house-hold name brand. Don’t miss a post. Sign up for our weekly newsletter.
Base vs. Application Security Checklist for IaaS and SaaS Direct Comparison
Following the shared responsibility model we just covered, we want to delve into the most important cloud security responsibilities of IaaS platform providers.
Then we’ll cover the cloud security responsibility of SaaS platform providers as well for direct comparison and understanding.
Base Level Security Checklist IaaS Security Checklist
1. Asset Protection: Redundancy of IaaS Platforms.
IaaS providers should guarantee that your data, and the hardware assets storing or processing it, are protected against physical tampering, loss, damage or seizure.
You should also evaluate the resilience and failover model of your IaaS provider, and how you can build upon their infrastructure in a way that gives you the level of availability that you need.
Physical Security Mechanisms
Your IaaS provider should offer an assurance that your data, disk images, and other storage, is appropriately protected – physically, logically or cryptographically.
In the event that your organization is not satisfied with the protection provided by the IaaS provider, you should be able to deploy volume encryption of your data store.
When dedicated physical storage infrastructure is provided by an IaaS provider, you should have a data erasure agreement in place prior to giving up storage hardware for reuse.
Data erasure, sometimes referred to as data clearing or data wiping, allows you to completely destroy all electronic data with a software-based method that uses binary data (ones and zeros) to overwrite the data. You should verify with the IaaS provider where responsibility for erasing data lies.
Additionally, you should have an exit plan in place that covers actions that should be taken when you stop using the IaaS. These actions may include marking data for deletion and wiping disk block storage to ensure that your data is not retained, or accessible to other service users.
Infrastructure security involves firewalls, robust encryption, and user authentication.
Some IaaS services may directly expose client infrastructure to public networks, such as the Internet. To establish infrastructure security, ensure that appropriate firewalls are deployed at both the infrastructure and platform level.
Virtual networking can be used to separate management and back-end functionality from interfaces exposed to end-users. In situations where your IaaS provider does not offer granular interface control, virtual network security appliances may be useful.
When data is intentionally shared with other users, you should have procedures in place to ensure it does not contain information which could give an attacker access to the service.
When sharing data with other users, use encryption keys or certificates to manage access and prevent attacks.
2. IaaS Uptime and SLAs.
An SLA (Service Level Agreement) is an agreement with a cloud service provider that details how they will handle potential problems.
For every new cloud service you purchase, an SLA assessment process should be drafted and as services change, the SLA should also be reassessed.
You should use the SLA to evaluate the stability of the service and to understand how your company’s assets will be protected while keeping expenses low should any problems occur.
The SLA is therefore very important when taking on a cloud service, and it’s important that you are familiar with all of the terms and conditions of it. Ultimately the SLA is the contract between you and your service provider, detailing all of the expectations for the partnership you are entering into.
It establishes the business relationship between you and the service provider, as well as explaining the actions which must be taken to mitigate any problems that may occur.
It is imperative that both parties, the buyer and service provider, are in agreement and fully understand the SLA. As some enterprise agreements can be quite complex, here are some things to keep in mind when outlining an SLA:
- Specify the parameters and minimum levels of service and the remedies in case these requirements are not met.
- Detail your organization’s ownership of data stored on the system of the provider and state your rights to get it back.
- Specify the security standards and infrastructure that must be upheld by the provider, as well as your rights to audit them.
- State your rights and the cost of using or canceling this particular service.
Looking further into the details of an SLA, let’s examine the important criteria which should be established for the agreement:
- Performance of service (i.e: what are the maximum response times?).
- Security and privacy of data (i.e: is stored and transmitted data always encrypted?).
- Availability of service (i.e: 99.99% during work days and 99.9% for nights and weekends).
- Expectations for disaster recovery (i.e: what is their commitment to worse scenario recovery?).
- Resolution expectations (i.e: call center to get instant support).
- Location of data (i.e: is it following local legislation?).
- Access to data (i.e: can data be retrieved in a readable format at any time?).
- Portability of data (i.e: can the data be moved to another provider if desired?).
- Change management (i.e: what is the process for dealing with changes in service or new services?).
- Dispute process (i.e: what is the process for escalating issues and what are the consequences?).
- Exit strategy (i.e: expecting a smooth transition and cooperation from the provider).
Once you have set up criteria for the SLA, the next step is to evaluate how critical the cloud service and associated data is to your business. This risk and nature of the cloud service are imperative in determining the terms of the SLA.
In conclusion, the SLA is the binding contract for the partnership between your business and the service provider. Therefore it is critical to follow these three steps:
- Read the service provider’s SLA thoroughly and make sure you understand it.
- Involve your technical staff invalidating the SLA for common outage scenarios.
- Create contingency plans with your team to undertake in case serious issues occur with the service.
3. IaaS DDoS Attack Mitigation
Distributed denial of service (DDoS) cause your website or applications to run slowly or become completely unavailable. This causes not only your organization to likely lose money, but could heavily impact your loyal customers.
In such an event your customers will be dissatisfied, and may even lose money themselves depending on the type of business you provide.
To remediate the problem you will have to ramp up your customer service support while trying to mitigate the technical problem at hand.
The more you prepare for different types of attacks and targets, the more prepared you and your service provider will be for DDoS attacks.
If the attacker’s efforts are blocked, they will often give up and move onto easier targets. Therefore you should develop a DDoS protection plan using industry best practices to reduce the risk of your business undertaking a DDoS attack.
Application Level SaaS Security Checklist
Following the shared responsibility model we covered in the previous section, we want to delve into the most important cloud security responsibilities of SaaS platform providers.
1.Data Security and Redundancy of SaaS.
Redundancy is an important consideration for SaaS providers as it means that they incorporate extra components into their service so that, in the event of failure, there will still be a backup.
Essentially it ensures that your business is able to retrieve information at any given time, regardless of any expected or unforeseen downtimes from the provider.
Most reputable service providers take security and redundancy extremely seriously. Yet you should still make sure to inquire about the policies of any SaaS vendor you may wish to partner with.
Regardless of how much precaution is taken from the provider, it’s a best practice to have your information on another cloud structure as a backup for any extreme cases.
The following are four questions to ask your potential cloud service provider in relation to data security and redundancy:
Remote replication: Do they have Cloud-to-Cloud backups?
As mentioned in previous sections, it is best practice to always have multiple copies of data and to store them at different locations to be prepared in the event of an issue.
In physical locations, we may think of unfortunate occurrences such as a fire, but in fact, on the cloud, we should follow the same logic.
Your service provider should have your data copied separately onto a completely different cloud structure as a backup.
What security standards do their cloud backups adhere to?
Reputable SaaS providers adhere to strict cloud-to-cloud backups security standards. You will often find that their standards are so high that you would be unable to maintain or recreate these on your own.
Their cloud-to-cloud backup solution will likely include or greatly mitigate the following security standards:
- Compliance in SSAE 16.
- Cyphers with strong encryptions.
- A membership in Cloud Security Alliance.
- Privacy and Security Certifications (i.e: TRUSTe).
Do the backups created, include metadata?
Metadata is critical for collaboration and control as it contains information about sharing settings, labels, tags, and ownership.
Ultimately metadata helps users find and use SaaS data, and without it there is no context to provide useful information.
While metadata is vital for many companies, there are quite a few backup solutions, including backups provided by vendors like Salesforce, that do not provide metadata.
Users are often not aware of this, which leads to frustration and dissatisfaction when they realize at a later point they are unable to retrieve their data with all of the metadata generated.
Ensure that the SaaS provider you select includes your metadata and customization in the backups.
How are backups monitored?
Even if your potential SaaS provider has a regular data backup regime in place, you should look into how they monitor their backup process.
All backups should be monitored by IT admins and generate status reports and email notifications. The last thing you want is to go to restore your data only to find out that there was an oversight or data corruption which caused an error in the backup.
Additionally, make sure to find out the details from the service provider on what may cause known issues with the backup.
For example, it is quite common that files with zero bytes may cause data corruption.
Understanding these errors and monitoring the error reports can help you avoid data errors which may be detrimental to your business and your customers’ data.
2. SaaS High Availability.
When a service provider has high-availability, it means that they are set up to avoid a single point of failure in each and every component of the system.
Thus this is another factor to consider when choosing a SaaS vendor – are the implementing high availability?
There are great open-source tools and mechanisms to follow which achieve high-available infrastructure in a very reliable way. One outstanding example of this is load balancing.
Using redundancy, SaaS providers can eliminate single points of failure on machines exposed to the open web and HTTP requests.
By duplicating machines that are set up to achieve the same tasks, redundancy is achieved, and therefore a higher security in cloud computing.
The data is controlled and distributed over redundant machines using a load balancer as shown in the diagram above. In doing so the nodes are hidden inside the internal network and only the load balancer is exposed to external requests, thus mitigating security risks.
Most load balancers run on Nginx and its round-robin algorithm to distribute the requests between nodes. Nginx is an excellent option as it takes care of tasks such as node management, conducting periodic health-checks for the nodes, and even getting them back in line after failure recovery.
Additional configuration would typically be carried out to ensure best practices for cookie sticking, caching and consistent and reliable headers (i.e: client’s IP address).
3. SaaS Uptime.
Uptime is the amount of time that a service is online and available to your business, measured against the amount of time that it is unavailable.
Naturally we all seek to have 100% uptime, but in reality, nothing can be fully bulletproof.
Therefore it’s important to understand the uptime that your provider is supporting and to calculate what that means for your business.
How much uptime can you afford? How much downtime is tolerable?
Large SaaS providers often promise 99.9% uptime.
While this might be great if we are referring to a test score, it could be quite problematic for a business. Essentially 99.9% uptime means under 43 minutes of downtime per month, or under 8 hours 45 minutes per year.
If this downtime occurs at 2 am on a Sunday night, this may be acceptable, or maybe not if you run an international service.
The best SaaS providers may guarantee 99.99% or higher uptime per year.
While this might frighten you, just consider that often physical data centers, especially those catering to small or medium businesses, offer guarantees of uptime far below those of SaaS providers.
Also, consider that SaaS providers main business and concern is always their uptime so it is what they most like to uphold to not risk ruining their reputation in the industry.
When considering a SaaS provider, here are the main questions you should ask:
- When is the service guaranteed to be available in terms of percentage of the time?
- What is their definition of “downtime”?
- How does the provider attempt to reduce downtime?
- What are the consequences for the provider in case the downtime exceeds the SLA?
Scheduled vs. unscheduled downtime.
As with any technology, improvements and updates need to be made to better a service, and unfortunately, cloud services are no exception to this rule. That means that there may be scheduled downtime to make such updates.
SaaS providers consider scheduled maintenance as “planned outages” rather than downtime.
While this might seem logical, for some businesses having the service offline will cause significant a loss in revenues and therefore for them, it is considered a downtime. For instance, an airline reservation system loses about $89,000 per hour of downtime, regardless of whether or not the unavailability was scheduled or not.
Therefore when evaluating service providers, thoroughly understand what “downtime” means in the SLA and exactly how uptime is calculated.
Uptime Guarantees: How does a SaaS provider prevent downtime?
As previously stated, the business of a SaaS provider is to keep their clients satisfied by keeping their service online and preventing downtime.
When an on-premise server goes down, only that business is affected, but if a SaaS multi-tenant server goes down, it affects several businesses. SaaS providers treat downtime with the utmost importance and implement preventative measures to minimize the risk of downtime.
Best-in-Class SaaS providers use server clusters with built-in redundancy and replication.
These clusters are typically deployed in geographically dispersed data centers to ensure availability of service.
Penalties for excess downtime
The starting point of calculating excess downtime is by assessing the daily cost to your business of going offline.
How many clients would you lose?
This is why it is important to ensure the SaaS provider you choose has excellent disaster recovery and redundancy plans and also to understand what happens in the worse case that it goes down.
What financial compensation will they offer if there is excessive downtime?
Having a deep understanding of this number, empowers you to understand if it is worth it when comparing what excessive downtime means for your bottom line.
4. SaaS Audit Recordkeeping
Regardless of the type of business which you are operating in, you should be able to retrieve records from your cloud provider at any time to audit records or monitor access to your service and the data you store on it.
The information available to you from your cloud provider will impact your ability to respond to negative or malicious activity.
When looking at a service provider, make sure you are fully aware of what information can be made available to you and in what time frame.
Select a SaaS provider that will give you the confidence that the information they provide will meet your needs to deal with attacks or malicious behaviors.
Security Compliance Auditing.
Security compliance auditing is an assessment of a cloud services provider (CSP) to security-related requirements. At the very least a CSP should be able to ensure compliance with regulations and standards, as well as deploy their customers’ applications and store their data securely.
The regulations and standards which a SaaS provider must adhere to significantly depend on the industry sector of their clients.
In the healthcare and utility sectors, there are strict data privacy and protection regulations requirements.
If a cloud service provider wishes to serve clients in these sectors, they must prove that they comply with the standards and regulations of the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the Federal Risk and Authorization Management Program (FedRAMP).
In order to meet these, their solution must have characteristics such as dynamicity, multi-tenancy, and elasticity.
Regulatory organizations such as HIPAA and PCI DSS state that it is the responsibility of both sides to adhere to standards and regulations.
If you are operating in these sectors and looking for a SaaS provider, it is also your responsibility to make sure that they are up to date with compliance.
Cloud providers may be asked by users at any point to demonstrate evidence of compliance with these regulatory requirements in different industry sectors.
The figure above illustrates the landscape of cloud security compliance. SaaS vendors that provide tenants with credible and trustworthy compliance information at any time hold a significant competitive advantage and are likely more reliable than others in comparison.
Compliance standards in the cloud.
There are two types of standards when ensuring compliance with different security frameworks in the cloud: vertical and horizontal.
The horizontal standards may be applicable to many industries across the board, while the vertical standards are specific to each industry.
Various standards, both horizontal and vertical, have been supplemented to guide certification in the area of cloud computing and software as a service.
Apart from these two frameworks, other organizations and groups such as the Cloud Security Alliance (CSA) have addressed standardization issues related to SaaS.
They promote best practices to streamline the security levels provided in cloud computing.
The CSA’s cloud security governance, risk management, and compliance stack encourage service providers and cloud tenants to build mutual trust and increase compliance standards.
Modular compliance approach.
As previously discussed, certain industries must follow stringent compliance standards such as PCI/DSS, HIPAA, ISO 27017 and ISO 27001.
These industries, hold highly sensitive information about users and must, therefore, adhere to very high-security requirements.
This often results in a need for a large set of controls that must exist in the cloud infrastructure of the SaaS provider.
Nonetheless, there are many crossovers and similarities between the requirements of these standards in data storage integrity, data storage obfuscation and access control.
Therefore a reputable SaaS should make baseline security provisions that cover the most common requirements across different industries and regulations.
This baseline dynamic in the cloud to be adapted and changed for different compliance frameworks and clients.
Likewise, in order for there to be an efficient auditing approach, there should be a modular structure which supports these common requirements in the baseline security requirement which allows for additional control modules to be added as needed for additional frameworks.
Essential Security Accreditations for SaaS Solutions: Mitigated Responsibilities & Protocol
When selecting a SaaS provider, it is important to compare and understand all of the information we have provided for you.
After your research, you should feel that you can trust their application, infrastructure, and procedures.
If you do not have this trust or the cloud service fails you, you are vulnerable to security issues and loss of users, which can directly affect your bottom line. This may have a detrimental effect on your business’ growth, revenue, and credibility.
Of course, research and information that you find online or obtain from the SaaS provider can only take you so far and may still leave your doubting the validity of the information.
Accreditations are good indicators of how the provider operates.
To ensure that your cloud service provider has trustworthy security and availability to provide for the application or service you will use, they should meet most of the following five core accreditations.
- SOC 2 – Demonstrates a level of trust.
- ISO 27001 – Demonstrates the security management of Information.
- ISO 27018 – Level of protection of personally identifiable information.
- PCI DSS – Demonstrates the level of security for payments.
- ISO 22301 – Demonstrates continuity of business.
Many corporations will not work with SaaS providers unless the meet these five accreditations.
1. SOC 2 – Trust
SOC 2 is a standard designed specifically for SaaS operations. It is based on the five trust service principles:
- Security: does it protect against unauthorized access?
- Availability: can they ensure it will be up and running?
- Processing integrity: does it perform all transactions correctly?
- Confidentiality: is information in the system properly protected?
- Privacy: is personal data handled correctly?
A SOC 2 report demonstrates the infrastructure, software, people and procedures that a SaaS provider has in place to provide a service based on these aforementioned principles.
Each SOC 2 report includes the principles of security and availability as these are arguably the most important.
If a cloud service does not protect against improper access or has no standards to ensure it stays running, then there is no use of the service for the customer – it ultimately defeats the purpose for you to use a cloud service.
Likewise, the confidentiality principle is also extremely important and common, as most SaaS systems hold valuable data for their clients, and therefore the way they handle this data should be carefully monitored.
On the other hand, the principles for processing integrity and privacy will usually only be in reports of SaaS systems which deal with financial transactions or personal health data where these principles are more relevant.
In order for a provider to obtain SOC 2, they must undergo thorough testing and auditing by a third-party. So that it is a trustworthy accreditation and indication of trust for the provider.
2. ISO 27001 – Information security management
ISO/IEC 27001:2013 is the international standard for an ISMS (information security management system) – a risk-based approach to information security that encompasses people, processes and technology. Independently accredited certification to the Standard is accepted around the world as proof that an organization is following information security best practice.
In the context of cloud services, it sets out to keep information that is entrusted to SaaS providers by third parties secure.
For a SaaS provider to achieve the ISO 27001 accreditation, they must have a systematic and documented approach to securing data in place, under the information security management system (ISMS) compliance umbrella.
Every cloud service provider’s ISMS will be uniquely implemented and always rigorous.
SaaS providers with ISO 27001 certifications prove that they take threats and vulnerabilities to their systems very seriously.
ISO 27001 compliance gives confidence to all stakeholders that international best practice to mitigate threats and vulnerabilities is strictly being followed.
ISO 27001 enabled cloud service providers set compliance in place to not only avoid penalties but for also regulatory and reputational purposes.
3. ISO/IEC 27002
Whilst ISO/IEC 27001 is a certification standard that formally defines the mandatory requirements for an Information Security Management System (ISMS), ISO/IEC 27002 is a generic code of practice guideline document used to indicate suitable information security controls within the ISMS.
ISO/IEC 27001 incorporates a summary of controls from ISO/IEC 27002.
It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information.
Organizations that adopt ISO/IEC 27002 must assess their own information risks, clarify their control objectives and apply suitable controls using the standard for guidance.
The standard is structured logically around groups of related security controls. Among the best practices called for in ISO/IEC 27002 are:
- Data access controls.
- Cryptographic control of sensitive data.
- Management and protection of encryption keys.
- Recording and archiving “all significant events concerning the use and management of user identities and secret authentication information” and protecting those records from “tampering and unauthorized access.”
Here is a breakdown summarizing the 18 sections or chapters in ISO/IEC 27002:
- Section 0: Introduction.
- Section 1: Scope.
- Section 2: Normative references.
- Section 3: Terms and definitions.
- Section 4: Structure of this standard.
- Section 5: Information security policies.
- Section 6: Organization of information security.
- Section 7: Human resource security.
- Section 8: Asset management.
- Section 9: Access control.
- Section 10: Cryptography.
- Section 11: Physical and environmental security.
- Section 12: Operations security.
- Section 13: Communications security.
- Section 14: System acquisition, development, and maintenance.
- Section 15: Supplier relationships.
- Section 16: Information security incident management.
- Section 17: Information security aspects of business continuity management.
- Section 18: Compliance.
4. ISO/IEC 27018 – Protection of personally identifiable information
ISO/IEC 27018 is the code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, and it focuses on protecting the personal data in the cloud.
ISO 27018 compliant SaaS providers are first mandatorily ISO 27001/2 compliant, and then have to work in two ways:
- Augment existing ISO 27002 controls with specific items for cloud privacy, and then
- Provide a completely new set of security controls for personal data.
Because of its popularity, some certification bodies are starting to issue certificates against ISO 27018 – it must be pointed out these are not regular certificates (since such certificates are possible only for management standards, and ISO 27018 is not such a standard) – it seems these certificates are issued as part of the wider ISO 27001 certification audit.
The table below outline the expected additions to the existing IS 27001/27002 controls required for IS) 27018 compliance:
|ISO 27001/ISO 27002 Control Section||Level of additional items in ISO 27018|
|5 Information security policies||Moderate|
|6 Organization of information security||Low|
|7 Human resource security||Low|
|8 Asset management||Low|
|9 Access control||Low|
|11 Physical and environmental security||Low|
|12 Operations security||High|
|13 Communications security||Low|
|14 System acquisition, development and maintenance||Low|
|15 Supplier relationships||Low|
|16 Information security incident management||Moderate|
|17 Information security aspects of business continuity management||Low|
And then the new set of security controls for the protection of personal data in the cloud are:
- Rights of the customer to access and delete the data.
- Processing the data only for the purpose for which the customer has provided this data.
- Not using the data for marketing and advertising.
- Deletion of temporary files.
- Notification to the customer in case of a request for data disclosure.
- Recording all the disclosures of personal data.
- Disclosing the information about all the subcontractors used for processing personal data.
- Notification to the customer in case of a data breach.
- Document management for cloud policies and procedures.
- Policy for return, transfer, and disposal of personal data.
- Confidentiality agreements for individuals who can access personal data.
- Restriction of printing personal data.
- Procedure for data restoration.
- Authorization for taking the physical media off-site.
- Restriction of usage of media that does not have encryption capability.
- Encrypting data that is transmitted over public networks.
- Destruction of printed media with personal data.
- Usage of unique IDs for cloud customers.
- Records of user access to the cloud.
- Disabling the usage of expired user IDs.
- Specifying the minimum security controls in contracts with customers and subcontractors.
- Deletion of data in storage assigned to other customers.
- Disclosing to the cloud customer in which countries will the data be stored.
- Ensuring the data reaches the destination.
SaaS providers with ISO 27018 compliance provide excellent cloud-specific security details.
Newer SaaS providers will typically start with ISO 27001 compliance and add bits and pieces from ISO 27018 as they progress to be fully ISO 27018 compliant.
5. ISO/IEC 22301 – Business continuity
Disruptive incidents and loss of service can be extremely costly for SaaS companies and the businesses that they serve.
ISO 22301 requires cloud service or SaaS providers to instate a detailed business continuity strategy.
As defined by the ISO, this set of standards specifies requirements to “plan, establish, implement, operate, monitor, review, maintain and improve your infrastructure, to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”
For a SaaS business to achieve ISO 22301 compliance, the compliance of its infrastructure partner or IaaS provider is critical.
Achieving the controls and standards of this certification is to a large degree hardware dependent.
You need to check the accreditation of even the best web hosting providers of the SaaS providers that you partner with.
Here is an ISO 22301 checklist summary:
- Management support: Getting management buy-in both financial and human resources.
- Identification of requirements: List all requirements and define how to communicate with each of the stakeholders/interested parties.
- Business continuity policy & objectives: Define some of the main responsibilities and rules in your business continuity policy.
- Support documents for management systems: Define your procedures: documents and records control, internal audit, and corrective actions.
- Risk assessment & treatment: Define incidents and which controls (i.e., safeguards) you can apply to mitigate them.
- Business impact analysis: Define how quickly you need to recover (before you go bankrupt), and what you need in order to succeed with such recovery.
- Business continuity strategy: Outline how to achieve all this with a minimum level of investment.
- Business continuity plan: Set up incident response plans by defining the initial reaction to an incident, and recovery plans that outline actions to be taken to get back running again.
- Training & awareness: Manage the training of employees and third parties on how to perform certain steps in your plan.
- Documentation maintenance: Detail continuous changes to reflect the current circumstances.
- Exercising & testing: Perform regular exercising and testing.
- Post-incident reviews: Document and review reactions, preparedness, and improvements to after incidents occur.
- Communication with interested parties: Institute a communication plan with regulatory bodies, authorities, owners, employee’s families, media all interested parties.
- Measurement and evaluation: Measure the achievement of RTO during exercising & testing.
- Internal audit: Conduct an internal audit for checks and balances.
- Corrective actions: Find out why the problem has happened and how to make sure it never happens again.
- Management review: Conduct top management review, evaluation and decision making.
6. PCI DSS – Payment Card Industry Data Security Standards
The Payment Card Industry Data Security Standard (PCI DSS) is a standard mandated and enforced by all major payment card brands including Visa, MasterCard, and American Express, to increase controls on cardholder data in a bid to reduce the risk of fraud.
They merged their independent security programs into the PCI DSS.
If your organization handles credit or debit card information for payment processing, you will need to follow Payment Card Industry Data Security Standards (PCI DSS).
Why is PCI DSS important?
As much as PCI DSS is not a government regulation, it carries almost equal weight as law.
Hacks and financial data breaches often have a negative impact on trust, revenue and ultimately lead to penalties or fines being issued.
Implementing the standards in your organization can help reduce the risk of a breach involving payment card information.
Target, the second-largest department store retailer in the United States had a major breach of cardholder data that not only damaged the company’s reputation with its consumers, leading to 46% drop in profit, but also resulted in the resignation of both its CIO and CEO.
In the event of a breach, PCI compliance reduces the risk of fines levied by credit card brands. In 2010 Heartland Payment Systems had a data breach, and Visa fined it $60 million.
Fines levied by payment card brands tend to be sent to the merchant bank that processes your credit card transactions.
The banks ultimately pass the bill to your company and will typically also increase transactions fees or on rare occasions terminate your business relationship altogether.
Tessa Wuertz, Director of Marketing at efelle creative, explains why protecting customers’ data is so important and why she looks to SaaS solutions:
“Trusting a one-off developer who you met online with other people’s credit cards is a risky way to do things. In the ecommerce world, your customers are trusting you with their credit card.
By making sure that the solution to your problem has been well researched, you are ensuring your customers that they can trust you and their information is in safe hands.”
Each credit card brand has different validation requirements.
Visa, for instance, uses transaction volume to divide merchants into four levels. Each level requires additional validation requirements and starts to apply to merchants that process over 20,000 Visa transactions per year.
Here is a summary:
Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs) perform validation.
Annual and quarterly validation steps include:
- Complete Report on Compliance (ROC).
- Perform vulnerability scanning by a PCI SSC-approved scanning vendor (ASV).
- Complete Attestation of Compliance for service providers or merchants, if applicable.
- Submit ROC, passing scan, and Attestation of Compliance to acquirer or payment brand.
The 12 PCI Requirements
The PCI DSS compliance outlines 12 individual compliance requirements. Each of the 12 requirements contains detailed sub-requirements.
The PCI DSS primarily applies to security controls that protect card account numbers. But whenever your organization stores or handles card account numbers, additional card cart data, such as the cardholder name, address, expiration date, and service code must also be secured.
Organizations are mandated to never store sensitive authentication data such as magnetic stripe data, chip card data, CVC, CVV, and PIN numbers.
For PCI DSS compliance, all merchants are required to submit annual and quarterly reports.
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters.|
|Protect Cardholder Data||3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across|
|Maintain a Vulnerability Management Program||5. Use and regularly update antivirus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications.|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data.|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes.|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security.|
According to a Verizon compliance report, only 11% of organizations meet all 12 PCI requirements.
How Cloud Services Achieve PCI DSS Compliance
How are key ways cloud rendered services secure PCI DSS compliance:
- They audit where card data is stored and how card data is transmitted.
- They prevent card data from being uploaded to unsecure cloud applications by enforcing data loss prevention policies across cloud services.
- They enforce strong password policies using single sign-on solutions.
- They ensure the capture of audit trails of every user action including user, date and time stamps, results, and affected resource names using third-party auditing tools if not natively available.
- They carry out regular audit security checks and stress tests using third-party assessors of cloud providers.
- They create an incident response plan and implement an anomaly detection solution across cloud services to detect security breaches.
- They encrypt data stored in cloud services using tenant managed encryption keys so data is inaccessible to third parties in the event of a breach to reduce liability.
- They have options to bring the storage and processing of cardholder data onto internally controlled systems. This basically creates a hybrid cloud.
Compliance with Third Party Payment Providers
If PCI compliance is handled by PayPal, it offers services such as Website Payments Standard, Online Invoicing, and PayPal Checkout.
PayPal in effect handles payment card information on your behalf with all PCI Compliance risks offloaded to PayPal.
If PCI compliance is to be handled by store owners, PayPal offers two services Website Payments Pro or Virtual Terminal to handle card payment data directly.
Stripe another payment processor is audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider, which is the most stringent level of certification available.
Third party payment providers still emphasize that PCI compliance is a shared responsibility that applies to both them and merchants; and so advise that accepting payments, must be conducted in a PCI compliant manner.
The simplest way to achieve PCI compliance is to never see (or have access to) card data at all. Services like Stripe ensure PCI compliance to merchants on the following basis:
- That they use Stripe’s Checkout, Stripe.js and Elements, or Strips mobile SDK libraries to collect payment information, which is securely transmitted directly to Stripe without it passing through any other servers.
- That merchants serve their payment pages securely using Transport Layer Security (TLS) so that they make use of HTTPS.
- And that merchants review and validate their account’s PCI compliance annually.
7. Security Questions to Ask Your SaaS Provider
Now that you have a working understanding of SaaS security, the questions outlined below will help you quickly assess the security readiness of any SaaS provider you want to engage with or even existing providers so that you ramp up security.
Do you provide a single-tenant hosting option for separating our data from other customers?
In a multi-tenant SaaS deployment, your organization’s data may sit side-by-side with other companies data.
This may pose a risk of data leakage out of your environment.
Even with virtualization, although separation is easier, virtual operating systems are still subject to the same risks and vulnerabilities
Your SaaS providers should be able to show you the results of regular tests they run for data leaks.
If they are unable to, then you are probably better off insisting on a single-tenant data storage option.
How do you handle penetration testing?
Your SaaS provider should regularly run threat assessments as well as tests that verify its ability to withstand denial-of-service attacks.
If a service provider doesn’t invest in creating regular processes for penetration testing, its risk increases exponentially.
Can you share your backup and recovery plan? Do you run cloud-to-cloud backups?
Get an understanding of their business continuity strategy in the face of denial-of-service attacks and natural or man-made disasters.
Information such as the physical location of their hosting facility as well as data ownership laws within those jurisdictions will be helpful.
What breaches has the company had if any, and how did it manage them?
Focus on their resolution and policy changes after the breach.
How does the provider’s security policy match my company’s?
Run a like-for-like comparison of your organization’s security policy against the SaaS provider’s security policy.
In some cases, a SaaS provider’s security measures could be more sophisticated than that of their small to mid-sized customer’s capabilities.
What are your user authentication and user sign-on policies?
Although a great majority of SaaS applications are securely assessed via the Internet with a username and password, a growing number of companies are working with their service providers to pull the SaaS sign-in process into the bounds of their firewall or VPN, providing a higher degree of authentication.
What data encryption policies do you have in place for the storage and transfer of data?
Insist on the strongest encryption levels possible. 128-bit SSL encryption is now fairly typical, strive to higher encryption levels wherever possible.
Who manages the application on the back end, and what policies are in place to thwart insider breaches?
What do user administration rights look like? Who has the right to view certain tiers of data?
Technology as The Solution
Data and ecommerce security is too important of a responsibility to employ alone. Plus, managing the servers and the teams that protect data can develop into a costly venture for any ecommerce business.
Johnny Gregory, Client Partner at Fortuitas, emphasizes the importance of ecommerce security and wisely choosing a secure platform:
“Use trusted solutions, don’t try to tackle it on your own, i.e. self hosting your ecommerce website. That can get very costly and is often times insecure unless you have a network security team.”
BigCommerce takes care of website hosting and security—giving teams more time to run their companies.
Hosted ecommerce platforms are often more secure and don’t require a high level of expertise compared to self-hosted software solutions.
Each BigCommerce store is protected by multiple layers of security to prevent unauthorized access, including perimeter and server-specific firewalls, file integrity scanners, intrusion detection software, and 24/7 human monitoring.
Online store data is also replicated on two data centers at a minimum, with backups hosted at a third site.
With servers certified at Level 1 PCI DSS 3.2, our ecommerce platform defends against credit card data breaches and eliminates the massive cost and hassle of handling compliance in-house.
All BigCommerce plans offer HTTPS across the entire site. Shoppers can feel comfortable knowing an online store is secure from the first page they visit through the checkout process.
Moreover, cutting-edge DDOS mitigation can cost more than $5,000 a month on traditional hosting platforms. With no extra cost to our Enterprise users, this benefit is our standard to protect websites from attacks.
Safeguarding data from breaches and managing all aspects of ecommerce security shouldn’t strain a business. BigCommerce alleviates the pressure with unmatched security performance.
Want more insights like this?
We’re on a mission to provide businesses like yours marketing and sales tips, tricks and industry leading knowledge to build the next house-hold name brand. Don’t miss a post. Sign up for our weekly newsletter.
Less Development. More Marketing.
Let us future-proof your backend. You focus on building your brand.
Are Security Concerns Keeping You From Diving Into SaaS?
Read our technical deep dive on SaaS security for ecommerce businesses.