Best Practices for Locking Down Your SaaS Enterprise Security

should your public entity participate in a risk sharing pool

Best Practices for Locking Down Your SaaS Enterprise Security

Small to medium-sized insurance companies are turning to Software-as-a-Service (SaaS) with an ever-increasing frequency. It is important that data channeled through SaaS is safe and secure to the greatest degree possible against being lost, stolen or corrupted.

There are recommended measures that can be taken to help protect sensitive data from being compromised.


Avoid Deadline Vulnerabilities

The rush by insurance software providers to complete development or updates to software by market deadlines can result in sloppy errors in security. To counteract such probabilities, SaaS software providers should incorporate a security check into each phase of software development such as underwriting software. This can make it easier to identify problems and resolve them.


Be Diligent About the Cloud

The location to which the SaaS will be deployed is an important factor in assuring protection of data. If the application will reside on a public cloud, the vendor of the cloud should be contacted to assure that the security settings are in compliance with those the vendor recommends.

It should be noted that there are dedicated cloud providers such as Google or Amazon that provide services within their infrastructures to help assure that data will be secure.


Review Compliance Certifications

There are two main compliance certifications that a SaaS provider should have. The first is the PCI DSS. To obtain this certification, the SaaS provider will have successfully passed extensive audits regarding the manner that sensitive data is stored, maintained, processed and transmitted.

The other certification, SOC Type 2, assures that a cloud service provider is designed and maintained in order to provide the utmost in data security.


Don’t Skimp on Encryption

The importance of encryption of sensitive data cannot be overstated. All data traveling to and from servers should occur over SSL transmission. The SSL transmission should only terminate while the data is residing within the boundaries of the cloud service provider.

Additionally, specific fields can and should be designated for encryption such as social security numbers or financial information such as credit card or bank account numbers.


Utilize Data Security at the User Level

Implementing user-level data security at the company level can add an additional layer of security to the data infrastructure. Many times, guidance can be provided by the cloud service vendor in setting up user access in accordance with company policy. Doing this can give the company better control over data management as well as helping to foster appropriate segregation of duties.


Summing It Up

By taking a proactive approach to safety and security of data, companies doing business in the cloud can better assure protection to themselves and their clients.