This is the 3rd part of the blog series discussing on benchmarking the maturity of a SaaS solution. Click the following links to see the earlier parts – part 1 and part 2. In this blog let’s look at the various parameters to decide how good your SaaS solution is from a security standpoint.

Data Security

Is tenant isolation taken care at your framework level without depending on the developers to code correctly?

Segregation of Tenants and their data is the most critical aspect in a multi-tenant system. A mistake here can jeopardize the whole organization (both SaaS provider and buyer). Therefore, it is only wise not to depend only on the developers to ensure tenant isolation is implemented properly. While it may be easier to say that it’s the job of testing team to ensure all multi-tenant scenarios are tested properly, this does not work in real-time. Given the pace at which features are added in SaaS applications, it’s not humanly possible to do regression testing of the entire SaaS application in such short span of time. Hence, as a best practice it’s better to have a fool proof way of controlling tenant isolation by having it at a framework level.

Do you have a provision to implement access control at the business layer?

Given that the SaaS application is going to be integrated with multiple external systems, it’s not enough if access control is verified only at the view level. Many times the SaaS application’s business logic is exposed as service to other systems. Therefore, it’s important to implement the security access control at the business service layer as well.

Authentication

Do you support Single Sign On (SSO) with your tenant’s on-premise identity system?

Enterprises would like to keep single point of control for their authentication needs. Increasingly the trend is moving towards having an in-house authentication system (like Active Directory) and have the rest of the SaaS applications integrate to work in a Single Sign On model.

Granularity

Can you control role level access within the tenant?

Role level access is the most common form of restricting user access. While this may serve the purpose for some of the SaaS applications, this does not give the level of granularity to control access.

Do you support action privileges that are independent of role?

Action privileges also called as “permissions” are the ones that determine whether a certain action in the application is possible or not. Examples of Action privilege for a Supply Chain system could be “Purchase Order Approval”, “Add Supplier”, “View Radio Active Materials”, etc. Standard privileges usually include add, edit, view, delete and Action privileges like “Purchase Order Approval”.

Is there flexibility in your security system for the tenants to create and manage their own roles and access control policies?

Every system comes with its default set of roles. However, this may change completely based on the enterprise. Therefore, it’s much easier if the customers (tenants) can create these new roles themselves and define the access rights for the newly created roles.

Can a user be mapped to multiple roles?

This is a basic feature that is expected from any system. However, the key is to allow the roles, privileges and users as loosely coupled so that the tenants can use them in whichever way that is suitable for their environment.

Does your security framework have the ability to control access at a field level?

There are cases where the role may have access to the data except for a particular field. For example, a HR executive should be able to view all employees’ records but except the salary field. Your security framework should provide a dynamic way to mask these fields across the product at runtime.

Does your security framework have the ability to control access at a data row level?

Similar to the previous one, there are scenarios where the rows that are displayed for a user can vary based on a dynamic condition. For example, a Resource Manager can see all the employees data including their salary but only for those employees that report to the given resource manager.

Is the security access taken care at your framework level without depending on the developers to code correctly?

Having a fool proof mechanism for security implementation should be the first goal of any SaaS Architect. Therefore, to ensure the security access control works properly it’s important to implement them at the framework level and not just rely on developer.

Is there a provision for the SaaS implementation team to service your customers on behalf of them?

SaaS implementation (or) support team typically receives a lot of requests for making some small tweaks/changes in the configuration. One approach is to spend a lot of time in hand holding the customer to do these changes by themselves or it would be much easier for the technical support person to get inside a tenant and make the changes on behalf of the requesting user/customer. This way you can say a lot of support bandwidth and customer is also happy.

Auditing

Is there a provision to audit and search for important events in your product?

Auditing of events is very important for a SaaS system from a security and reference stand point. At any point in time ISV provider should be able to find out who did what operation at what time. Sometimes you need this information to prove the correctness of the system.

Is there a provision to maintain transaction change logs in your product?

Transaction change logs will provide you details of the old and new data that got changed in the system. Just like the event logs this will be very useful to know how a certain data in the SaaS system got changed.

In my next blog we will look at assessing the Operations segment of a SaaS Application.