blog-hero.jpg

Risk Mitigation

Five Security Considerations for CIOs & CTOs Evaluating SaaS CRE Technology

Adoption of cloud-based SaaS platforms is becoming common for enterprise organizations, including commercial real estate owners and managers. The cost savings and convenience of the SaaS model are very compelling relative to more traditional on-premises software installations. However, there are some special considerations to take into account when evaluating this class of enterprise software.

Here are five areas to examine when you evaluate the security of a prospective cloud-based SaaS implementation of CRE technology or any technology.

Account Security

SaaS platforms are generally accessible from anywhere which makes them very convenient. In turn, this increase in accessibility also increases the importance of closely guarding user identity and managing access. A secure SaaS platform should provide tools to help mitigate account security risks, with Multi-Factor Authentication and Single Sign On being two of the most important components.   

Multi-Factor Authentication

Multi-Factor Authentication (MFA) secures user accounts by requiring a user to acknowledge their identity on a secondary device. For example, if you log into your bank through the bank’s website on your laptop, you might receive a code on your mobile phone to enter back into the website in order access your account. Without Multi-Factor Authentication, someone could access your bank account if they simply had your password. Using Multi-Factor Authentication, as in the scenario above, someone would need to have your password and be in possession of one of your physical devices to get entry.  

Multi-Factor Authentication is generally implemented with either a MFA app or via text messages. Both of these options rely on time-based, single-use codes to match the codes in the paired authentication system.  

Single Sign On

Single Sign On (SSO) is another way to better secure user accounts, enable easy access and greatly simplify user access management across your organization’s services. SSO is a session and authentication service which permits your employees to use one set of credentials to access all of your organization’s applications and services. Your employees will no longer need to remember multiple passwords, but they will need to remember one very complex—and more secure—password.  

Single Sign On identity providers allow for custom configuration of minimum complexity rules for your users and provide Multi-Factor Authentication services to further secure account access. Additionally, having a SSO identity provider gives your IT managers the ability to add, update or remove user access across all your organization’s applications and services from a single place, further enhancing user account security.  

Network Security

Network security is of the utmost importance in a cloud-based environment because of the underlying nature of the cloud and shared resources. Most cloud computing, or Infrastructure as a Service (IaaS), providers such as Amazon Web Services, Google Compute Cloud and Microsoft Azure offer what is called a Virtual Private Cloud (VPC).  A VPC provides a segregated environment within an IaaS provider’s infrastructure where routing, firewalls, IP restriction and networking rules can be configured to secure a SaaS application’s resources.  

Without a VPC, securing individual resources within an IaaS is very difficult, with mistakes being easily made or important details overlooked, the consequence of which is unauthorized access or data breach. Ensure that any SaaS provider you consider has secured their cloud resources with a virtual private network in the cloud.

Data Security

Data is the new currency of business and concerns about data security can be the deciding factor between more traditional on-premises software and cloud-based SaaS. Data in the cloud should be encrypted at rest, encrypted in transit and backed up daily.  

Encryption at rest means that data backups stored in the cloud are encrypted and cannot be read unless decrypted by a secure encryption key. This is important in the cloud because storage is shared between many customers. For example, when your SaaS provider deletes old database backups that are stored on a spindle hard drive in a computer in an IaaS provider’s data warehouse, that space is freed up for another IaaS user. A malicious IaaS user could provision storage space from their account and scan the bytes on that spindle drive to see if a you or another previous user left any data of value behind. If your database backup was not encrypted at rest, the malicious IaaS user could potentially read the entirety of your backup and access that data.

Encryption in transit means that all requests made from your employee’s browsers to the SaaS provider’s application must be over the https protocol using an SSL certificate from a trusted certificate authority. Having a secure connection between your users and the application ensures that nothing in the networks between can read the data being transmitted. This is considered bare-minimum and any website not offering https should not be trusted. Make sure that any API access or third party integrations also communicate via https; otherwise your data may be exposed to prying eyes when in transit across the internet.

IaaS providers offer great tools for secure, scheduled and geographically distributed data backup, but those tools need to be set up and configured correctly to be used for effective disaster recovery.  Confirm that any SaaS provider you seriously consider has daily scheduled backups as well as long term and geographically distributed data backups.  

Application Availability

Users expect to be able to access anything anytime they want, and SaaS platforms are no exception. Fortunately, IaaS providers offer a wide variety of tools and services that SaaS platforms can use to ensure availability. Hardware, network and other types of failures are bound to happen occassionally so best practices such as horizontal scaling, auto scaling, self healing architectures and geographic distribution can be used to keep a SaaS platform accessible 99.9% of the time.

Horizontal scaling is a high-availability method in which an application can have many identical servers to which application requests can be equally distributed. This is often achieved by using a Load Balancer which automatically checks all of the servers connected to it on a regular interval to determine which servers are “healthy” and can serve application requests. If a server fails to respond to a health check from the load balancer, it is taken out of the pool of available servers and no longer receives application requests. Horizontal scaling is very resilient, can be configured to add more servers when an application has a spike in traffic (auto scaling) and can even be configured to automatically replace “unhealthy” servers when they fail (self healing).  

Geographic distribution is another tool which can be used to provide high availability for a SaaS platform. Often, IaaS providers allow a customer to specify an “availability zone” for specific cloud resources which get allocated. These availability zones are often in disparate geographic locations and physically separate data centers. In combination with horizontal scaling, distributing identical resources across multiple availability zones minimizes or eliminates downtime for a SaaS application when there are inevitable service outages with cloud resources or services.

Infrastructure Accessibility and Monitoring

One piece of SaaS application security that is often overlooked is the level of accessibility that the application’s engineering team has to the application’s resources. Minimizing human exposure to application systems and infrastructure greatly reduces the risk of human error. Production-level application resources should be nearly impossible for the employees of your SaaS provider to access.

Resource monitoring and intrusion detection are also important tools. Configuring realtime alerts for suspicious activities on your IaaS resources can mean the difference between successfully mitigating an attempted hack and an all out data breach.  

Closing Thoughts

The use of cloud-based SaaS platforms can be a huge boon for commercial real estate owners and managers, providing best of breed solutions for your organization’s most time consuming and challenging problems. Unfortunately, not all SaaS providers use best practices when implementing their cloud infrastructures. If any SaaS provider cannot show that they are implementing these and other technology best practices, they may not be a good choice for your organization.

Learn how top owners save on project costs

Cody Roberts

Written by Cody Roberts

Cody is co-founder of Honest Buildings and the team's founding engineer. He studied Information Technology at Rensselaer Polytechnic Institute.