The Four Big Risk Categories Every SAAS Application Must Address

When enterprises select a SaaS provider for mission-critical applications, they are placing a bet on that product and vendor. Smart customers understand that they must minimize risks to their security and their business. Not surprisingly, many CISOs and security organizations today require that every SaaS application goes through a thorough security vetting process where the SaaS provider will explain how the product mitigates risks and enhances security. 

Additionally, CFOs and their audit teams must analyze and judge the business risk posed by any SaaS product inserted into their enterprise workflows. These teams are not only trying to identify the obvious risks, like business continuity and risk to customers but also other orthogonal risks, such as impacts on operational excellence that might result from improper project versioning or feature roadmaps.

In reality, every customer will have slightly different needs and requirements, so it’s important to build a foundational strategy that underpins the design and implementation of your SaaS service. By assessing and addressing data risks, access risks, compliance risks, and business risks, SaaS organizations create comprehensive and secure solutions for their customers. 

Data Risks: Theft, Corruption, and Loss

SaaS providers are often targets of cyberattackers seeking to steal customer data, which is becoming more common as businesses move critical functions online. Data risks refer to the potential loss, leakage, theft, or breach of sensitive data that is stored and processed by the SaaS provider. Sources of data theft risk include misconfigurations, human errors, malicious attacks, or third-party access. While theft is the worst case, data corruption and data loss can also considerably disrupt business operations. Other data risks include data corruption and loss, as well as regulatory risk, as policies continue to evolve.

Data failures and breaches of any sort can have serious consequences for customers, such as legal, financial, or reputational damages.

To address data risk questions in a SaaS security audit, a SaaS application maker must:

• Implement strong encryption for data at rest and in transit
• Use secure authentication and authorization mechanisms, ideally using a zero-trust architecture
• Provide data backup and restore options for customers and explain how they are architected at the infrastructure level
• Monitor and audit data access and activity and offer log file exports so customers can determine on their own whether
• Comply with data protection regulations and standards

Access Risks: Unauthorized Access to Internal Systems

Access risks are potential unauthorized or inappropriate access to the SaaS application or its data by internal or external actors. Malicious access risks can result from factors such as weak passwords, phishing, credential theft, privilege escalation, or insider threats. Much access risk, however, is inadvertent; employees who are not supposed to be accessing certain systems, given their role, maybe granting access to inappropriate SaaS platforms in an attempt to simplify their tasks. Privilege creep is another common access risk where users who do not require access maintain it as organizations liberalize policies to enable more self-service IT capabilities. In SaaS applications, access risk is often fueled by a lack of role-based access controls or the inability of SaaS admins to customize privileges to meet their exact use case. 

Access risks can compromise the confidentiality, integrity, or availability of the SaaS application or its data. Access risk can also be a compliance risk and might jeopardize hard-won compliance certification status such as SOC-1 or SOC-2.

To address access risks, a SaaS application maker must:

• Offer strong password policies, provide multifactor authentication options, and enable additional access control measures such as security step-ups based on behavior or context
• Enabled role-based access controls and created a design that supports the least privilege principle alongside zero-trust methodologies
• Include security education and training modules to teach SaaS users and admins security best practices
• Detect and respond to anomalous or suspicious behavior across a wide variety of parameters (impossible travel, unrecognized/blacklisted IP, unusual access patterns, time of day variations, device signatures and agents, encryption and EDM present, network connectivity)
• Revoke access when no longer needed or authorized based on automated policies addressing common scenarios (removed from group, left organization, has not logged in for a specific duration)

Compliance Risks: Preventing Legal and Certification Violations

Compliance risks refer to the potential noncompliance with regulatory or contractual obligations related to the SaaS application or its data. Compliance is becoming more complicated due to the growing list of national, regional, and (in the U.S.) state-level compliance laws. While GDPR and the CCPA are the two most commonly cited compliance laws, each European country may have its own compliance systems and enforcement mechanisms. In addition, ISO, SOC, HIPAA, PCI, and other certifications levy more complexity and more requirements. For many security reviews, SOC or ISO certification compliance is mandatory, so SaaS providers that cannot demonstrate this competency might find themselves shut out of deals. 

Compliance risks can result from factors such as lack of awareness, lack of attestation, poor system design, lack of security controls and checks, inconsistency of application, or ambiguity of requirements. Compliance risks can expose the customers of SaaS providers to legal actions, fines, penalties, or sanctions. Because SaaS is an extension of their business, any compliance risk of the SaaS provider is also a risk to the customer.

To address potential compliance risks, a SaaS application maker must:

• Understand and adhere to the relevant laws and regulations in different jurisdictions
• Align and harmonize security policies and procedures with customer expectations and agreements and offer sufficient compliance features to match customer requirements
• Provide transparency and visibility into security practices and controls, with on-demand access to compliance and audit findings
• Conduct regular audits and assessments to verify compliance status
• Report and disclose any incidents or breaches that may affect compliance and do so in a timely fashion as mandated by the law

Business Risks: Disaster Recovery, System Access, and Operational Excellence

Business risks refer to the ability of a SaaS provider to identify and remediate risks to their customers' business caused by any number of problems with the SaaS product. Disaster recovery and business continuity are often the primary risks in this segment. Given the high availability of cloud infrastructure and the widespread redundancy of most SaaS applications, disaster recovery risks are more and more associated with system flaws or human actions. These actions might be malicious, in the case of ransomware or wiperware, but can be inadvertent configuration changes that take entire systems offline. 

At an operational level, disaster recovery risks can result from factors such as lack of planning, testing, backup, redundancy, or resilience. An additional disaster recovery risk can be slow or partial system restoration after an upgrade, configuration change, or another piece of scheduled maintenance that goes awry. Furthermore, continuity risks can impair the availability or functionality of the SaaS application or its data. SaaS application providers must not only have a detailed disaster recovery plan but also put in place mechanisms at the infrastructure, data, and application layers to ensure rapid restarts after any outage. 

To address business continuity risks, a SaaS application maker must:

• Develop and implement a comprehensive disaster recovery plan and make that accessible to customers
• Test and update the plan regularly to ensure its effectiveness, including simulation drills, system rollbacks, and other realistic exercises 
• Architect systems to minimize single points of failure and ensure rapid restart and restoration
• Consistently backup and replicate data across multiple locations and regions, potentially utilizing different services or storage tiers to reduce global system failure risks
• Ensure adequate resources and capacity to handle peak demand without outages or slow-downs
• Effectively communicate status and ongoing work to customers during downtime
• Share and then address the potential impact of product decisions on customers, such as feature addition, Blue-Green, and canary deployments
• Provide the ability to quickly roll back or remove functionality that negatively impacts customer operations through granular feature controls

Treat Your Customers Like a Risk, Business and Security Partner

SaaS security is a shared responsibility between customers and providers. Both parties need to be aware of the potential risks and challenges that come with using cloud-based services and take appropriate measures to mitigate them. By addressing the four main categories of SaaS security risks — data, access, compliance, and business — a SaaS application maker can provide assurances and deliver operational excellence that even the most discerning and paranoid SaaS customers can feel good about.