Software as a Service (SaaS) is a software delivery model where applications are hosted remotely on a cloud service provider’s infrastructure and made available to users over the internet on a subscription basis. This model contrasts with traditional software delivery methods where the user has to purchase and install the software on their hardware. SaaS applications are accessible from any device with an internet connection, offering flexibility and scalability to users. Three popular SaaS providers are Salesforce, Xero and Microsoft Office 365, however, thousands of these companies and systems now exist.  

SaaS providers manage the infrastructure, platforms, and software, ensuring applications are always available, up-to-date, and secure. This offloads a significant amount of work from the users, who no longer need to worry about software maintenance, updates, and security patches. However, whilst some elements of security are handled by the SaaS provider, there are key elements which are not, and due diligence still needs to be taken to ensure the SaaS provider. 

It is important to ensure that the onboarding of any new SaaS solution is done securely and competently. This SaaS Security Onboarding Checklist provides a comprehensive guide to help you evaluate the security of a SaaS provider and ensure that the necessary security measures are in place before, during, and after implementation. The checklist covers a wide range of security aspects, including compliance, identity and access management, data security, audit trails, privacy, business continuity, network security, SLAs, and more. Following this checklist ensures that your organisation’s data and systems are protected when using SaaS solutions. 

Pre-Procurement Checks 

The pre-procurement checks offer some factors to consider when appraising and comparing SaaS suppliers.  

Due Diligence and Provider Certifications 

Assess potential SaaS providers for their security posture, historical incidents, and compliance with industry standards to ensure robust security practices. 

• Evaluate the vendor’s reputation in terms of security practices. 
• Conduct due diligence on the vendor’s history regarding data breaches or security incidents. 
• Ensure the SaaS provider complies with industry standards (e.g., ISO 27001, SOC 2). 
• Check if the SaaS provider undergoes regular third-party security evaluations. 
• Ask for recent penetration testing reports. 

Identity and Access Management 

Ensure the SaaS platform integrates securely with existing identity systems and supports essential security protocols and practices. 

• Confirm that the SaaS platform supports integration with your existing SSO solution, if you are going to leverage SSO. 
• Evaluate the identity and access management protocols used (e.g., SAML, OAuth, OpenID Connect). 
• Assess the SaaS product’s ability to adhere to your existing identity and access management policies. This could include multi-factor authentication (MFA), role-based access control (RBAC), and privileged account management.  
• Use administrative accounts only for administrative actions. For daily activities only use a basic level user account.  

Data Security and Encryption 

Confirm that all data within the SaaS environment is encrypted in transit and at rest to safeguard sensitive information from unauthorised access 

• Verify that the data is encrypted both in transit and at rest, such as the use of TLS v1.2 and above for HTTP communication.  
• Review encryption methods, key management, data residency, and data segmentation practices 

Audit Trails and Monitoring 

Audit trails and monitoring are essential for tracking user activities and identifying potential security threats in real time. 

• Check if the SaaS provider offers detailed audit logs. 
• Ensure you can monitor user activities and access patterns. 
• Ensure that there is sufficient log retention in the platform. 
• If you have a SIEM, ensure the platform can integrate with your SIEM if you plan on integration. 

Privacy and Data Handling 

Carefully review how the SaaS provider handles privacy and data management, especially regarding data storage, processing, and access, to ensure compliance with applicable legal requirement. 

• Consider the type of data you’ll share with the service and how it will be protected. 
• Review the provider’s data privacy policies. 
• Understand how customer data is stored, processed, and potentially shared. 
• Understand who can access customer data inside the SaaS platform. 
• Ensure legal compatibility, especially in terms of the location of where your data is stored and processed. E.g. UK, EU, USA 

Business Continuity and Disaster Recovery 

Evaluate the SaaS provider’s capability to recover from disasters and continue operations, ensuring they have effective backup and recovery procedures. 

• Assess the provider’s disaster recovery and business continuity plans. 
• Ensure there are regular backups and the ability to restore services quickly, focusing on who is responsible for said backups, as some SaaS providers do not provide this functionality. 

Expanded Attack Surface from Third-Party Integrations 

• Establish a formal approval process for new third-party integrations 
• Establish a process for the secure decommissioning of third-party integrations that are no longer used 

SaaS applications often allow integrating third-party apps and services to extend functionality. However, this greatly expands the attack surface: 

Service Level Agreements (SLAs) and Policies 

Review and understand the SLAs and policies of the SaaS provider, particularly those related to uptime, performance, and data handling, to ensure they meet your business requirements. 

• Review the SLAs for uptime, performance, and support. 
• Understand the policies regarding service termination or data retrieval. 

Exit Strategy: 

Having a clear exit strategy is essential for transitioning away from a SaaS provider securely and efficiently. 

• Plan for an exit strategy in case you need to switch providers. 
• Ensure that you can retrieve all your data securely and completely. 

Deployment Checks 

The deployment checks are things to consider once you have decided to implement the SaaS system. Some of these might be before the actual technical deployment has begun, such as change management, which is essential to consider before jumping into a SaaS web GUI. Some others, such as testing, can only happen once the deployment is complete.  

Change Management: 

Change management ensures that changes within the SaaS deployment are controlled and documented, minimizing potential disruptions. 

• Ensure that a deployment plan is created along with safe rollback measures should issues be encountered. 
• Ensure that records are kept of all proposed, completed and failed changes.  

Audit Trails and Monitoring Setup: 

Setting up detailed audit logs and monitoring systems is critical for ongoing security and compliance. 

• Ensure the availability of detailed audit logs. 
• Set up monitoring for user activities and access patterns. 
• Integrate with your SIEM system, if applicable. 

Customisation Capabilities: 

Understand and utilise the customisation options provided by the SaaS platform to enhance security settings according to specific needs. 

• Familiarise yourself with the security features offered by the SaaS provider. 
• Evaluate and implement necessary security customisations. Examples include: MFA, updated SPF records or other hardening measures.  

User Access and Role Configuration: 

Configure user roles and access levels to adhere to the principle of least privilege, reducing potential exposure to security threats. 

• Define and configure user roles and access privileges. 
• Implement least privilege access principles. 
• Define how you will manage privileged accounts. 
• Define how and when privileged accounts can be used. 

End-User Security Awareness: 

End-user training is crucial for ensuring that all users understand and comply with security best practices when using the SaaS system. 

• Ensure that end-users are trained on security best practices related to usage of the new SaaS system. 
• Provide guidelines for safe use of the platform. 

Integration Testing: 

Test all integrations thoroughly to ensure they do not compromise the security of the SaaS environment. 

• Test the integration with your existing SSO solution or any other existing systems. 
• Validate identity and access management protocols. 

Expanded Attack Surface from Third-Party Integrations: 

Confirm that third party integrations don’t introduce additional attack surface beyond the required additional functionality.

• Securely store and manage API keys and tokens 
• Ensure that OAuth and other authentication protocols are configured to use the strictest scopes and permissions possible 
• Ensure that subdomains and API endpoints don’t increase the attack surface unnecessarily. 

Security Testing: 

Conduct comprehensive security testing, including penetration testing, to identify and remediate vulnerabilities. 

• Conduct a penetration test (if permissible) of your new SaaS deployment and any integrations, such as SSO. 

Post-Implementation Checks 

These checks should be done once the implementation has been signed off and the solution is in production. Some will form a basis of ongoing checks.  

Continuous Monitoring and Incident Response: 

Continuous monitoring helps detect and respond to security incidents promptly. 

• Regularly monitor user activities and access patterns. 
• Establish incident response and reporting mechanisms. 

Service Level Agreements (SLAs) Monitoring: 

Regularly review SLAs to ensure the SaaS provider meets performance and uptime commitments. 

• Continuously review SLAs for uptime, performance, and support. 
• Ensure compliance with agreed terms. 

Regular Security Audits and Reviews: 

Periodic security audits help maintain a high security standard and adapt to evolving threats. 

• Conduct periodic security audits. 
• Review and update access controls and user privileges. 

Business Continuity and Disaster Recovery: 

Regular testing of disaster recovery plans ensures readiness and effective response to disruptive events. 

• Regularly test disaster recovery and business continuity plans. 
• Ensure backups are performed and validated. 

End-User Security Awareness and Training: 

Continual training updates are necessary to address new security challenges and changes in the threat landscape. 

• Provide ongoing training on security best practices. 
• Update guidelines for safe platform usage. 

Exit Strategy Evaluation: 

Regularly update and review the exit strategy to ensure data can be retrieved securely and completely if transitioning to a different provider. 

• Regularly evaluate and update your exit strategy. 
• Ensure ongoing capability for secure data retrieval. 

Further Reading 

• https://www.ncsc.gov.uk/collection/cloud/using-cloud-services-securely/using-saas-securely 
• https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles/principle-10-identity-and-authentication 
• https://owasp.org/www-pdf-archive/Clouds_Security_and_OWASP.pdf 
• https://www.oracle.com/a/ocom/docs/oracle-saas-security-checklist.pdf