The NCSC's new SaaS security collection provides a lightweight approach for determining the security of any SaaS application. The collection also includes security reviews of the 12 most asked-about SaaS services used across UK government. This blog post explains the history behind our approach, and how we used it to produce the security reviews.
From risk avoidance to risk management
You may be familiar with our Cloud security principles; 14 essential areas to consider when selecting a cloud service. Your feedback suggests that although these principles work well when applied to a complex cloud-based setup, they're just too heavyweight for everyday situations (such as choosing a SaaS service).
Our new guidance makes the process of choosing a suitably secure SaaS product much easier. A streamlined approach ensures these products can be used by your organisation in a managed way, with clear policies, based on both the data that you handle and the level of confidence you have in the product. This avoids the situation where perhaps a blind eye is turned to using a SaaS product because - for example - it's obviously practical, but you're unclear on how to establish the required level of confidence in its security. Applying this guidance allows you to move away from this risk avoidance, towards risk management.
Nuts and bolts
The guidance describes key areas you should consider before using a SaaS product, all of which should be fairly easy to figure out from looking at the provider's website, or through some quick interactions with the service support team. For example: if the login page isn't served over TLS - that is a big red flag. This approach (discussed in Andrew's 'Cloudy with a chance of transparency' blog) means that the more open and transparent a vendor is, the more confident you can feel about their security.
The SaaS security collection also includes reviews of 12 commonly asked-about SaaS services used across UK government. These reviews can help you make a relatively quick decision about the suitability of a service for common enterprise use, with the full set of cloud security principles reserved for more complicated scenarios. You should, ideally, use the SaaS security collection to conduct your own enquiry into the suitability of a product.
This is a draft set of documents. We're really keen to hear more feedback from you. We will be reviewing and updating the guidance based on the feedback we receive over the next few months. You can get in touch by leaving a comment on this blog, or via our enquiries team.
Principle Product Security Specialist