Implementing solutions from cloud SaaS products can reduce management overhead and allow you to deliver business value more quickly by focusing on the application layer. Fundamental application considerations, however, still apply to SaaS cloud applications. Security, scalability, performance, data isolation, limits, and capacity are still critical, but could have a different approach when compared to an application deployed on-premises. This section focuses on some of these considerations for SaaS cloud apps.
Security readiness
The responsibility for security in SaaS cloud applications is shared by both the service provider and the customer. That means your existing security policies might not be suitable to meet the security requirement in the cloud. The SaaS service provider processes customer data and is responsible for aspects such as securing the backend infrastructure and data encryption in transit and at rest. As a data controller, the customer is still responsible for securing access to environments and application data.
The IT information security team should clearly understand the boundaries of these shared responsibilities to ensure the following:
▪ The SaaS service provider meets the organizational security, privacy, and compliance requirements. This is usually done in the beginning to approve the platform for use supported by a regular review or audit process to ensure continued compliance.
▪ The security team is aware of the controls and configurations required to govern access to data and fulfill the customer security responsibility. These could include defining the data loss prevention policies, access control policies, and environment management policy. They usually have a default setup with a process to manage deviations for specific apps.
▪ The governance process makes sure the application-level security requirements are met. This is primarily managed by the application teams and driven by business requirements for each app deployment. You might have additional checks before deployment to ensure compliance.
A good example of this is General Data Protection Regulation (GDPR) in the EU, in which the SaaS service itself might be fully GDPR compliant from a data processor standpoint but the customer is still responsible for implementing data controller processes like a “forget me” request or managing marketing consent for contacts.
Organizations need to review their information security policies and ensure that they’re cloud ready. Doing this exercise earlier, before the app deployment cycle, will help avoid delays. It’s important to closely work with your cloud SaaS service provider to ensure all your security requirements are met. Microsoft publishes the details of how this shared responsibility of securing data is fulfilled from a data processor perspective on the Microsoft Trust Center, which provides detailed information on our security and privacy policies as well as the certificate of compliance for various regulatory norms and internal standards.
Leave A Comment