BasicGov / BLOG

Part 8: SaaS and Security

When working with security in the clouds or in a multi-tenant environment accessible over the web there are several items you need to ensure are checked off:

1. Authenticate everyone
2. Authorize access computers
3. Encrypt Data transmission
4. Protected Network
5. Secure Physical location
6. 3rd party auditing

The cloud environment is in the Internet sphere, yes, but because SaaS is also multi-tenant any exploited web weakness has repercussions for the enter platform cloud. That is why Saas applications require the highest security environments and the most advanced technology. The wide range of clients works in your favor because the highest security requirements from banks for example are also available to anyone else in the cloud. Everyone has the benefit and the shared responsibility of application security. This includes the end user, the application provider and the platform provider. Lets take a look at each of our items in our security checklist.

For the rest of the conversation, we refer to Salesforce.com as the platform provider for the security of BasicGov SaaS solution for local governments.

Authenticate everyone: Entering a unique user name and password for user authentication grants you access to your portion of the cloud. When logging in, Saleforce creates a cookie for this session to record successful authentications. The session “cookie” does not include either the username or password of the user. Salesforce.com does not use “cookies” to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. The standards used include SSL 3.0 / TLS 1.0.

Authorize access computers: If the user logs in for the first time from that particular computer, we want to make sure that someone else can’t pretend they are you – that they are authorized to access BasicGov. We also need to check that even if someone knows your username and password they also need to have access to your email and to your computer to gain access to BasicGov. At this stage we can be confident that this is really you.

Encrypt Data transmission: When you send your secret username and password to Salesforce and read/write information to BasicGov, you want to ensure that no one listening to your browser “conversation” with the server can understand what you are saying – in fact it’s a whole other complex language that requires complex keys to decode the conversation – keys that are only known by the server and your browser. This is called data transmission encryption. When you access our site using Microsoft Internet Explorer version 5.5 or higher, Secure Socket Layer (SSL) technology is used (you’ll notice a https your browser address). This ensures that your data is safe, secure, and available only to registered Users in your organization. Your data will be completely inaccessible to your competitors.

Protected Network and Secure Physical Location : After the data is transmitted securely, the data is protected from unwanted intrusions and unnecessary visits. These include internal firewalls and segregation with intrusion detection. The databases and networks are also located in physically secure locations. The data is stored in 24 hour manned security centers. The facilities are engineered to withstand seismic activates, storms, floods with on site generators for constant power.

3rd party auditing: Finally just because someone thinks they are secure and did their best to do so, you’d want to know if security experts also think so. Therefore Salesforce has a 3rd party provider continuously auditing its network and is also regularly certified through Saas Type II. This certification is quite extensive and a much too long to describe here today, but you can find out more what this entails here.

All this security provides the protection and peace of mind as you use BasicGov and does not require your own IT resources to implement. For more info http://www.salesforce.com/company/security.jsp

 The key to success for your SaaS implementation is to start from your desired outcome.  What is it that you want the system to do for you?  Are you clear about what you currently do, and when or how you do it now?  The clearer you are about your current and desired process the better outcome you’ll achieve.

Where to start? Concisely, thoroughly describe and document your current workflow. Understand that your processes may change slightly in order to take full advantage of the solution you’ve chosen. Be open to your vendor’s advice on how to streamline the process and accept that there may be gaps in what can be provided.  Expect a 80-20 solution: the system should automate the tasks that take up 80% of your time.  Focus on these tasks and understand that if you want 100% automation – you’ll likely have to pay for significant customization.  

 Once you’re through the “Business Analysis” portion of the installation, the real advantages of SaaS come into play. Saas is easier to configure.  No software installation and no IT headaches.  Time to rollout is reduced.  Users are up and running faster – and in a familiar “browser” environment.