Software as a service

Find out the pros and cons of using software as a service (SaaS) products and our advice on how to keep those accounts secure.

Software as a service (SaaS) is the name given to software that you access via your browser by visiting a website and logging in instead of downloading onto your computer.

Example of software-as-a-service are Facebook, Xero and Trello.

Benefits of SaaS

There are several benefits to SaaS – these include:

  • It’s available from anywhere, you don’t have to be in the office to access it.
  • As the software is provided via the internet, it means you don’t need to remember to keep it up-to-date.
  • They can be very flexible, allowing you to add more users when you need it.
  • You can use them from different computers and devices without needing to buy or install more software.
  • Most SaaS products are built for teamwork, allowing you to collaborate with others on projects.

Disadvantages of SaaS

SaaS products are quick to start with and can provide a lot of benefit to your business. There are a few things to be aware of:

  • Because the provider manages the hosting, you don’t know what security controls they have added to their servers. Luckily it’s in their best interest to resolve any vulnerabilities they find as quickly as possible – particularly if it’s a paid service.
  • The service is needs a reliable internet connection, so if your staff live rurally or somewhere where the internet is a bit slower when there’s a lot of traffic online, the service can be a bit slow.
  • The service is hosted online and can be found by anyone with an internet connection, this makes securing your accounts really important.
  • Sometimes the policies and features of SaaS tools change without us noticing, its important to keep an eye on any announcements they make or emails they send you to understand how these changes might affect your data or users.

Evaluating SaaS products

There are a couple of things to look for when choosing a SaaS product to use.

  • Look on their website for a page called ‘security’. These pages lay out how they plan to store and use your information. They often also mention which standards they meet and which security controls the product offers.
  • Search their product name and ‘security review’. Most mainstream products have had some due diligence done before by other organisations and the results are often online.
  • Check that the tool allows you to secure your accounts:
    • Can you choose a good quality, long passphrase?
    • Can you turn on two-factor authentication?
    • Can you use another account such as Google or Microsoft to login instead?
  • See if you can find information about their security controls – what do they say about:
    • encryption at rest
    • encryption of data in transit
    • logging
    • disaster recovery or backups.
  • Understand what control you have over your data:
    • Can you view what is stored?
    • Can you export the data if you need to move to another tool?
    • Can you delete your data if you decide to?
    • Can you get a trial account to test this out?

Securing SaaS accounts

Like any account, SaaS accounts need to be kept secure. Here are a few steps you can take to keep your account safe:

  • If there are different levels of access available, give the least amount of access needed to get the job done. For example, you probably only need to give one or two people the ability to give new users access, rather than everyone in the company.
  • Choose unique long passphrases for your accounts and where you can, make sure that all members of your team do the same. Check the security settings for your account for password controls such as setting a minimum password length.
  • Use two-factor authentication if it’s available. It’s not always obvious – it’s worth searching to see if it’s offered. Try looking under your account details under security or privacy settings.
  • Remove users when they’re not needed anymore – if they leave the company for example. This is not only great for security but can help keep the cost down.
  • Remember that SaaS tools are accessed from your computer and device. It’s important that these devices and the software installed on them are kept up-to-date. Help your team to turn on automatic updates for all the software they use. This includes the web browser and the operating system.
Visit CERT NZ for more information. 
Visit ACSC for more information.