Network security
Te whakamahi i te Software as a Service (SaaS)

Use Software as a Service (SaaS) securely

Find out the pros and cons of using software as a service (SaaS) products in your business, and our advice on how to keep those accounts secure.

What it is

Software as a service (SaaS) is the name for that you access by visiting a website and logging in instead of downloading it onto your computer. Examples of software-as-a-service are Facebook, Xero and Trello.

SaaS products:

  • are available from anywhere, you don't have to be in the office to access them
  • are provided via the internet, so you don't need to keep any software up to date
  • can be very flexible, allowing you to add more users when you need to
  • can be used from different computers and devices without needing to buy or install more software
  • are often built for teamwork, allowing you to collaborate with others on projects.

The risks

  • As the provider manages the hosting, you don't know what security controls they have added to their servers. It's in their best interest to resolve any vulnerabilities they find as quickly as possible – particularly if it's a paid service.
  • The service needs a reliable internet connection, so if your staff live rurally or somewhere the internet struggles if there's a lot of traffic online, the service can be a bit slow.
  • The service is hosted online and can be found by anyone with an internet connection, which makes securing your accounts really important.
  • The policies and features of SaaS tools can change regularly – it's important to keep an eye out for any announcements or emails to make sure you know what's changing and what impact it might have for you.

How to protect your business

  • Choose the right products

    When you're choosing a SaaS product, look on their website for a page called security. Find out how they plan to store and use your information. Providers often mention which standards they meet and which security controls the product offers – look for what they say about:

    • disaster recovery or backups.

    Search the product name and 'security review' – most mainstream products have had some due diligence done by other organisations and the results are often online.

    Things to check:

    • Can you choose a good quality, long ?
    • Can you turn on ?
    • Can you use another account such as Google or Microsoft to log in instead?
    • Can you view what data is stored?
    • Can you export your data if you need to move to another tool, or delete it if you need to?
  • Keep your SaaS accounts secure

    Choose unique long passphrases for your accounts and where you can, make sure that all members of your team do the same. Check the security settings for your account for password controls such as setting a minimum password length.

    Create a password policy for your business

    Use two-factor authentication if it’s available. It's not always obvious – it's worth searching to see if it's offered. Try looking in your account details under security or privacy settings.

    Protect your business with two-factor authentication

  • Manage user access

    If there are different levels of access available, give the least amount of access needed to get the job done. For example, you probably only need to give one or two people the ability to give new users access, rather than everyone in the company.

    Remove users when they're not needed anymore – if they leave the company for example. This is not only good for security but can help keep the cost down.

  • Keep devices up to date

    Remember that SaaS tools are accessed from your computer and . It's important that these devices and the installed on them are kept up to date. Help your team to turn on automatic updates for all the software they use. This includes the web browser and the operating system.

    Keep up with your updates

    Using Software as a Service (SaaS) securely – National Cyber Security Centre UK