Guidance

SaaS security collection

Created:  11 Jun 2018
Updated:  11 Jun 2018
Cloud nuts
Guidance for organisations looking to use, deploy, and understand the risks of adopting a range of popular Software as a Service (SaaS) applications.

Software as a Service (SaaS) applications are increasingly popular. Many of us use them on a daily basis, so it's important we know how to check if they are suitably secure.

To do this, the NCSC have developed a set of SaaS security principles, derived from a slimmed down subset of the NCSC's cloud security principles. These SaaS security principles represent our judgement as to the minimum set of security attributes you should seek to understand before using a SaaS offering.

We have used the SaaS security principles to assess the security properties of a range of popular SaaS offerings. You can find these in the security reviews section below. You should read these as worked examples, demonstrating how the principles can be used to evaluate the suitability of any service you are interested in. Given that these services evolve over time, we recommend that you re-test your choice of service periodically.

As our approach provides a minimum level of confidence, your risk management processes might determine that your requirements are more exacting. This will be particularly true for workloads which you deem sensitive, or are covered by other regulations (such as PCI, DSS or GDPR). 

  1. Understanding Software as a Service (SaaS) security

    An outline of the NCSC's approach to understanding the security of Software as a Service (SaaS) offerings.

  2. SaaS security principles

    A brief description of the criteria developed by the NCSC to evaluate the security of various 'Software as a Service' (SaaS) offerings.

SaaS security reviews

  1. Basecamp security review

    A security review of the Basecamp project management tool, based on the NCSC's SaaS security principles.

  2. Confluence security review

    A security review of the Confluence collaborative working tool, based on the NCSC's SaaS security principles.

  3. G Suite security review

    A security review of Google's G Suite productivity tools, based on the NCSC's SaaS security principles.

  4. Jira security review

    A security review of the Jira issue tracking and planning tool, based on the NCSC's SaaS security principles.

  5. MailChimp security review

    A security review of MailChimp, the email service provider, based on the NCSC's SaaS security principles.

  6. Office 365 security review

    A security review of Microsoft Office 365 productivity tools, based on the NCSC's SaaS security principles.

  7. Slack security review

    A security review of the Slack real-time messaging and file sharing application, based on the NCSC's SaaS security principles.

  8. Smartsheet security review

    A security review of the Smartsheet application for managing collaborative work, based on the NCSC's SaaS security principles.

  9. Stride security review

    A security review of the Stride enterprise communications tool, based on the NCSC's SaaS security principles.

  10. Trello security review

    A security review of the Trello Kanban-style collaboration tool, based on the NCSC's SaaS security principles.

  11. Yammer security review

    A security review of Yammer, an enterprise social networking service, based on the NCSC's SaaS security principles.

  12. Zendesk security review

    A security review of Zendesk, a ticketing system to improve customer relations, based on the NCSC's SaaS security principles.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No