Blog post

SaaS security - surely it's simple?

Created:  11 Jun 2018
Updated:  11 Jun 2018
Author:  Andrew C
Part of:  SaaS offerings
Cloud nuts

The NCSC's new SaaS security collection provides a lightweight approach for determining the security of any SaaS application. The collection also includes security reviews of the 12 most asked-about SaaS services used across UK government. This blog post explains the history behind our approach, and how we used it to produce the security reviews.

 

From risk avoidance to risk management

You may be familiar with our Cloud security principles; 14 essential areas to consider when selecting a cloud service. Your feedback suggests that although these principles work well when applied to a complex cloud-based setup, they're just too heavyweight for everyday situations (such as choosing a SaaS service).

Our new guidance makes the process of choosing a suitably secure SaaS product much easier. A streamlined approach ensures these products can be used by your organisation in a managed way, with clear policies, based on both the data that you handle and the level of confidence you have in the product. This avoids the situation where perhaps a blind eye is turned to using a SaaS product because - for example - it's obviously practical, but you're unclear on how to establish the required level of confidence in its security. Applying this guidance allows you to move away from this risk avoidance, towards risk management.

 

Nuts and bolts

The guidance describes key areas you should consider before using a SaaS product, all of which should be fairly easy to figure out from looking at the provider's website, or through some quick interactions with the service support team. For example: if the login page isn't served over TLS - that is a big red flag. This approach (discussed in Andrew's 'Cloudy with a chance of transparency' blog) means that the more open and transparent a vendor is, the more confident you can feel about their security.

The SaaS security collection also includes reviews of 12 commonly asked-about SaaS services used across UK government. These reviews can help you make a relatively quick decision about the suitability of a service for common enterprise use, with the full set of cloud security principles reserved for more complicated scenarios. You should, ideally, use the SaaS security collection to conduct your own enquiry into the suitability of a product.

 

More feedback

This is a draft set of documents. We're really keen to hear more feedback from you. We will be reviewing and updating the guidance based on the feedback we receive over the next few months. You can get in touch by leaving a comment on this blog, or via our enquiries team

 

Andrew C

Principal Product Security Specialist

3 comments

Simon - 21 Jun 2018
Could you clarify if these services are approved for OFFICIAL and OFFICIAL SENSITIVE information? The Information Assurance team in our department say they're definitely not approved for use with OFFICIAL information so this is quite confusing as we really want to use tools like Trello. Thank you!
Andrew C - 13 Jul 2018
Hi Simon, thanks for getting in touch.

The SaaS framework we published is there to help people understand some fundamental security aspects of SaaS solutions. We don’t ‘approve’ or ‘accredit’ cloud services – it’s for organisations to decide which risks they are comfortable with taking, but our aim is to help people find pertinent information to make informed decisions.

When it comes to OFFICIAL-SENSITIVE, firstly it’s important to note that OFFICIAL-SENSITIVE isn’t a different classification to OFFICIAL. The SENSITIVE caveat is there to inform people handling that information that it needs to be handled carefully, usually implying a need to know. When choosing SaaS tools, if you plan to use them with OFFICIAL-SENSITIVE information, it would be important to choose products that can help you enforce that need to know.

Many services will offer features like privilege management or access control that can help with that.
Jack - 24 Jul 2018
Simon's comment and the answer sums up the problem nicely. NCSC can issue all the guidance they want but the folks in control still default to "SAAS is Bad" and not suitable for Official.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No