There are many basic features that need to be implemented on your server infrastructure before you should allow users to leave their important data with you. Follow our SaaS Security Checklist and work on these elements:
Your server should be able to recognize if you are under attack and start safety measures. There are a lot of amazing tool to help you keep your server alive before the attack takes it down. For DDOS e.g. Varnish-Caching can be a really good solution - is they *just handle* the attack.
In cloud computing, SaaS (software as a service) refers to a service model in which both data and applications are hosted centrally. Typically, users access SaaS applications via a thin client such as a web browser. Because the SaaS provider is responsible for all software and hardware, local IT costs are reduced -- a big selling point. However, SaaS entails a unique array of security challenges. How can a customer be assured that the cloud-hosted solution is on top of security and privacy?
Learn about the provider's history. Acquire references from prior customers and evaluate their experience regarding reliability, privacy and security.
Make sure your SaaS contract contains audit clauses allowing you to verify ongoing security protocols.
Get an SLA with exact performance metrics and a high reliability promise.
Demand that the SLA include a description of the provider's internal development process.
Make sure the SaaS provider must notify you before rolling out security fixes and other updates.
Evaluate the provider's recovery policies for data.
Ensure that encryption standards are very strong for each link in the data chain. Closely evaluate the provider's key management protocols.
Control your own users -- the likeliest weak link. Which web browser or other local client must be used? How is local software updated? Which domains and services may users access, and how must they be authenticated?
Never let the SaaS provider own or control your domain names.
Ask the provider who exactly can access your hosted data. Do they log access history? Is production data masked or encrypted? Are developers required to work in pairs?
Given that most SaaS applications are multi-tenant, ask your provider how they make sure your data is kept private and isolated. What failsafe access controls are in place?
Evaluate the results of a third-party pen-test (penetration test) ordered by the provider. How did they respond to address any problems enumerated in the report?
Ask the provider if the application code includes any open-source libraries or other third-party code.
Does the live application have monitoring, logging, defensive capability, denial-of-service mitigation, and intrusion detection?
Are the provider's programmers fully trained in software security and best practices?