Oct 07
2009
10 Things Every Local Government Should Know about SaaS – Part 8: Security
Part 8: SaaS and Security
When working with security in the clouds or in a multi-tenant environment accessible over the web there are several items you need to ensure are checked off:
- Authenticate everyone
- Authorize access computers
- Encrypt Data transmission
- Protected Network
- Secure Physical location
- 3rd party auditing
The cloud environment is in the Internet sphere, yes, but because SaaS is also multi-tenant any exploited web weakness has repercussions for the enter platform cloud. That is why Saas applications require the highest security environments and the most advanced technology. The wide range of clients works in your favor because the highest security requirements from banks for example are also available to anyone else in the cloud. Everyone has the benefit and the shared responsibility of application security. This includes the end user, the application provider and the platform provider. Lets take a look at each of our items in our security checklist.
For the rest of the conversation, we refer to Salesforce.com as the platform provider for the security of BasicGov SaaS solution for local governments.
Authenticate everyone: Entering a unique user name and password for user authentication grants you access to your portion of the cloud. When logging in, Saleforce creates a cookie for this session to record successful authentications. The session “cookie” does not include either the username or password of the user. Salesforce.com does not use “cookies” to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. The standards used include SSL 3.0 / TLS 1.0.
Authorize access computers: If the user logs in for the first time from that particular computer, we want to make sure that someone else can’t pretend they are you – that they are authorized to access BasicGov. We also need to check that even if someone knows your username and password they also need to have access to your email and to your computer to gain access to BasicGov. At this stage we can be confident that this is really you.
Encrypt Data transmission: When you send your secret username and password to Salesforce and read/write information to BasicGov, you want to ensure that no one listening to your browser “conversation” with the server can understand what you are saying – in fact it’s a whole other complex language that requires complex keys to decode the conversation – keys that are only known by the server and your browser. This is called data transmission encryption. When you access our site using Microsoft Internet Explorer version 5.5 or higher, Secure Socket Layer (SSL) technology is used (you’ll notice a https your browser address). This ensures that your data is safe, secure, and available only to registered Users in your organization. Your data will be completely inaccessible to your competitors.
Protected Network and Secure Physical Location : After the data is transmitted securely, the data is protected from unwanted intrusions and unnecessary visits. These include internal firewalls and segregation with intrusion detection. The databases and networks are also located in physically secure locations. The data is stored in 24 hour manned security centers. The facilities are engineered to withstand seismic activates, storms, floods with on site generators for constant power.
3rd party auditing: Finally just because someone thinks they are secure and did their best to do so, you’d want to know if security experts also think so. Therefore Salesforce has a 3rd party provider continuously auditing its network and is also regularly certified through Saas Type II. This certification is quite extensive and a much too long to describe here today, but you can find out more what this entails here.
All this security provides the protection and peace of mind as you use BasicGov and does not require your own IT resources to implement. For more info http://www.salesforce.com/company/security.jsp
BasicGov building permits building permit software building permits software building planning software cities citizen portal city planning city planning software cloud computing code enforcement code enforcement software code violation software community development Dreamforce e-gov e-goverment e-Government force.com foreclosures Gov2 Gov 2.0 government government IT government software HB Lanarc license software Local Government local governments local government software municipal government municipalities municipality software municipal software on-premises software permit software permitting software SaaS Salesforce software Software-as-a-Service state government sustainability web-based software zoning software
"BasicGov Blog: 10 Things Every Local Government Should Know about SaaS – Part 8: Security" This post content is licensed under a Creative Commons Attribution 3.0 Unported License. If you share modified copies of this work, note that the new work is based on a work at http://www.basicgov.com/blog/2009/10/07/10-things-local-government-should-know-about-saas-part-8-security/trackback by BasicGov/blog. Details beyond the scope of this license may be available at http://www.basicgov.com/blog/about#blogpolicy.
Nice article. The conclusion is, your data can be safe with SaaS, as long as you are with the right SaaS vendor. I came across another insightful article listing out other important factors to consider while assessing SaaS – http://www.hyperoffice.com/saas-reviews-for-smbs/
Thanks for your comment. Yes not all SaaS vendors are created equal, and the items I mentioned are the qualifications you should be asking when it comes to your security concerns.
Thanks for the article post also!