Use Software as a Service (SaaS) securely

What it is

Software as a service (SaaS) is the name for software that you access by visiting a website and logging in instead of downloading it onto your computer. Examples of software-as-a-service are Facebook, Xero and Trello.

SaaS products:

• are available from anywhere, you don't have to be in the office to access them
• are provided via the internet, so you don't need to keep any software up-to-date
• can be very flexible, allowing you to add more users when you need to
• can be used from different computers and devices without needing to buy or install more software
• are often built for teamwork, allowing you to collaborate with others on projects.

The risks

• Because the provider manages the hosting, you don't know what security controls they have added to their servers. It's in their best interest to resolve any vulnerabilities they find as quickly as possible – particularly if it's a paid service.
• The service needs a reliable internet connection, so if your staff live rurally or somewhere the internet struggles if there's a lot of traffic online, the service can be a bit slow.
• The service is hosted online and can be found by anyone with an internet connection, which makes securing your accounts really important.
• The policies and features of SaaS tools can change regularly – it's important to keep an eye out for any announcements or emails to make sure you know what's changing and what impact it might have for you.

How to protect your business

Choose the right products

When you're choosing a SaaS product, look on their website for a page called security. Find out how they plan to store and use your information. Providers often mention which standards they meet and which security controls the product offers – look for what they say about:

• encryption at rest
• encryption of data in transit
• logging
• disaster recovery or backups.

Search the product name and 'security review' – most mainstream products have had some due diligence done by other organisations and the results are often online.

Things to check:

• Can you choose a good quality, long passphrase?
• Can you turn on two-factor authentication?
• Can you use another account such as Google or Microsoft to log in instead?
• Can you view what data is stored?
• Can you export your data if you need to move to another tool, or delete it if you need to?

Keep your SaaS accounts secure

Choose unique long passphrases for your accounts and where you can, make sure that all members of your team do the same. Check the security settings for your account for password controls such as setting a minimum password length.

Create a password policy for your business

Use two-factor authentication if it’s available. It's not always obvious – it's worth searching to see if it's offered. Try looking in your account details under security or privacy settings.

Protect your business with two-factor authentication

Manage user access

If there are different levels of access available, give the least amount of access needed to get the job done. For example, you probably only need to give one or two people the ability to give new users access, rather than everyone in the company.

Remove users when they're not needed anymore – if they leave the company for example. This is not only good for security but can help keep the cost down.

Keep devices up to date

Remember that SaaS tools are accessed from your computer and device. It's important that these devices and the software installed on them are kept up-to-date. Help your team to turn on automatic updates for all the software they use. This includes the web browser and the operating system.

Keep up with your updates

Using Software as a Service (SaaS) securely – National Cyber Security Centre UK