By David Linthicum, Contributor, InfoWorld |

How to secure SaaS: Understanding the cloud’s security layers

Because of gaps across cloud systems, too often user data is stored in unencrypted stores, including caches on internal networks, that can be easily viewed

When you address security in the cloud for your enterprise use, you need to think of it in several layers:

Layer 0 is the primary IaaS cloud on which everything else runs; typically, Amazon Web Services, Microsoft Azure, Google Cloud Platform, IBM Cloud, or Alibaba.
Layer 1 is the SaaS provider for your applications and servers. The SaaS offerings typically run on (someone else’s) Layer 0 provider, or come from a Layer 0 provider that also offers SaaS. Your own cloud-delivered apps are in this layer as well.
Layer 2 is the specific application and its user.

What can be confusing is understanding what layers reside where. For example, there are more than 3,000 SaaS providers out there—CRM and accounting systems, health care portals, bail-bond management, you name it—that run on someone else’s IaaS cloud, such as AWS. You often won’t know what IaaS Layer 0 providers they use, or if they use several.

Furthernore, within the SaaS Layer 1, SaaS providers group users into “macrotenants,” which typically typically are composed of users (more importantly, departments) from the same enterprise customer.

Then there’s the user in Layer 2, who has credentials to specific applications and services and is using computers, browsers, and network typically not managed by either the IaaS or SaaS provider. In other words, Layer 0 is within the IaaS provider’s cotrol, and Layer 1 is within the SaaS provider’s control. Layer 2 is not.

The IaaS providers do a very good job of looking after Layer 0 security. The SaaS providers typically do a good job of looking after Layer 1 security, though the quality can matter based on the provider’s size and experience.

It’s at the user’s Layer 2 where security is almost always overlooked. Security services that connect Layers 0 and 1 to Layer 2, such as encryption, are subsystems that are either custom-built or integrated third-party products. Too often, the user data is stored in unencrypted stores, including caches on internal networks, that can be easily viewed.

That data often includes personally identifiable information (PII) such as health data, credit card information, criminal records, and other information you would rather not get out. Not to mention conmpany-confidential information that business competitors woul dlove to get access to. That’s why it’s often more important to secure Layer 2 data, than Layer 0 or 1 data.

And it’s up to both IT and the Layer 1 SaaS providers to do that work. Let’s get moving, people!

Next read this:

David S. Linthicum is an internationally recognized industry expert and thought leader. He has authored 13 books on computing, the latest of which is An Insider’s Guide to Cloud Computing. David’s views are his own.