SaaS - Benefits & Security Implications

SaaS ( Software as a Service ) Benefits & Security Implications

As use of software-as-a-service increases, more and more small to medium businesses that utilise SaaS in order to remain agile and keep down hardware and maintenance costs, so do their concerns about SaaS security.

So what are the benefits of SaaS and how does Security apply in the cloud and what can be done to mitigate these risks?

First I’ll start with the Benefits of using SaaS

Financial  

The cost of using SaaS can be very attractive when compared to the costs of using hardware and Software in the traditional IT Department. This obviously includes cost of staff and maintenance and the time it takes for hardware and software to be tested in a business environment to ensure projects are viable. But SaaS can quickly spin up a virtual machine with the software required in a test lab and a test can be run to see if it will work in a few short hours rather than days or weeks. This will allow business to use those savings to target specific Security Requirements that they deem to be most important to their business.

Flexibility

The ability for small to medium businesses to use a Virtual test lab or to allow their staff to access business critical documents from anywhere on almost any device can be crucial to their success. This also means these business can allow their staff to work from home or anywhere across the world while keeping a small office or offices where they require them without the need to worry about hardware and staff costs for maintaining such a large infrastructure This can give a business the flexibility to adapt to new business challenges when required without worrying about potentially massive financial losses.

Now the Security Implications of SaaS

Access Management

Access management and the privacy of sensitive information has to be the greatest risk consideration around cloud and hosted services. Things such as …….

·         Where the data is stored?

·         Who else has their Data stored on the same physical server?

·         What physical Security is deployed at the location?

·         How do they Vet their staff?

·         What other Security Measures do they have in place?

·         Where is your Data backed up?

 Compliance

ISO 27001 is a comprehensive standard that covers a lot of the operational security aspects but it wasn’t designed with SaaS in mind but at this current time it is the ONLY REAL compliance Standard you should be working with. A few providers will state SAS 70 Audit but this is a voluntary self-imposed audit, it does show they have control over the Data they store, but is insufficient when it comes to SaaS, Currently there is no go to Standard for SaaS but ISO27001 is currently the best starting point until one exists ( Currently Both Google and Amazon are now meeting this Standard and others are working towards it. )

Access and Performance

Since SaaS is internet based your users or clients may not be able to access their data or software if their ISP (internet service provider) has some down time or in a rural area with poor/bad connectivity, even though companies like google can guarantee 99.99% uptime. This may be out of your hands if it does go down. Also depending on what is also running on the server where your information is stored with could lead to the performance being slowed down

Summary

In my opinion SaaS is the way forward and more and more businesses will move over to some sort of SaaS model. it will take longer for larger enterprises, giving new small to medium businesses an edge. With the way the current world economy is, more and more businesses will switch for the financial benefits alone, never mind the flexibility it grants users and clients. The security provided by SaaS is improving constantly and it only a matter of time until a new compliance framework appears to fill any remaining gaps.

Android Security Measures

As I write this, I am aware that there are a few different approaches to Android security. This article aims to provide the following:

Just ensuring you have a basic understanding of security You know how to be private and safe Know how to lock down and secure your devices ( I’m sure there are lots of other approaches but for the sake of keeping it simple this is how I would categorize them )

We all know the type of people that have antivirus and do not install anything from anywhere but the Goggle Play Store. Those individuals probably also have a finger swipe lock and that is all they need or want to know about. Not to say that is bad – it’s good to feel secure – but that is literally the MOST basic form of “security” for your device.

However, I will help with just adding a little bit more to this, and how to do it while keeping it as simple as possible.

( 1 ) Antivirus – I assume nearly everyone has this, but if you don’t, go to the Google Play Store and have a look at a few ( most are free ) and install one. This will help you by finding the most known Viruses Spyware and in most cases advise you how to change some settings for additional security. Remember, your data – images, texts, saved login information – is private and personal. Keep it that way!

( 2 ) Screen-lock – Everyone should know what this is. It is as old as mobile phones are nowadays. It locks the screen after the screen goes black or after a set time limit of inactivity.  You can often access the screen lock options by going to Settings > Security > Screen Lock, which will ensure that a code, pattern or password needs to be entered in order to unlock the screen once it has been locked.

I would recommend using the PIN or Password option, as these are not restricted by length (it may be restricted to 4 characters on some devices). But also, due to how easily a swipe pattern can be unlocked by one of these methods: 1. tilting the screen so you can see the swipe marks and repeat the pattern, or 2. just watching the person’s swipe pattern (a form of shoulder surfing).

( 3 ) Encryption – Device Encryption disguises data by rearranging the data so that no one can see/access it without a password or key.

This can be done in Settings > Security > Encryption. Before you can utilize device encryption, however, you will be required to set a screen lock password ( Device should be connected to a charger while doing this).

( 4 ) Phone Location Tracking – Device Tracking is self-explanatory and there is no shortage of apps out there on the Google Play Store to track your device if you lose it outside or just down the back of the sofa. All you do is register your phone’s details then test it about the house and track it. This ensures if you lose your phone, or if it is stolen, you can always track it down.

( 5 ) Software Updates – Updating the Software on your Android device can remove any vulnerabilities in the device’s software and should always be done at the first possible time.

There are two ways of doing this –

Updating the Phones OS (Operating System)

Settings > AbouPhonene > Updates > Check for Updates.

Updating the Apps

Open Google Play Store > My Apps this should show any updates that are available for any of your installed apps

*( I would always recommend you update your device at home while plugged in and on a trusted internet connection )

I believe these five things are about as basic as it gets for Android Security. In the next part “Being private and safe,” I will go into more detail and try help the slightly more tech confident user by showing them how easily a mobile device can be compromised and what could potentially be done to it.

Security and the slightly more advanced stuff but nothing too complicated: ( By securing these settings you secure your device and probably save battery life and save on data charges )

( 6 ) Useful Settings –  These are two simple ways of securing your device and yourself.

Network Settings

Bluetooth, Wifi, NFC, Tethering and Portable Hotspots, should always be switched OFF when not being used. All of these methods leave your device open to attack and as you may leak your data out or allow another user to access your device remotely.

All of these can be changed from Settings > Wireless and Network Settings

Location Settings

Only turn on location settings when you need them. It is important not have these services running when not required as it increases the risk of location tracking.

Settings > Personal > Location

( 7 ) Useful Apps – There are lots of different apps that can increase the security on your Android but here are just a few that can seriously increase your privacy.

Password managers

A password manager is a small easy to use a database on your phone that you can save passwords and usernames for your favorite websites ( or anything really ) which are fully encrypted and secure a quick look on the Google Play Store will find lots of these.

App Lockers

App Lockers are apps that give you the ability to stop another user using a specific app or your entire device without entering a specific information. ( this can be a fingerprint scan or password or pattern ) They usually include other features like the if an intruder enters a password wrong 3 times it will take pics with both front and rear camera

*I could write all day about app lockers but if you want more information a simple internet search will provide lots of information and which one is best for you

( 7 ) Backup and Cloud Storage – Losing pictures videos or documents can be annoying at least or extremely embarrassing and emotional at worst. There is no shortage of apps out there for online storage to back these up. I won’t list the best and worst here but Android Devices come with Google Drive which gives you 15gb of free online space to save you private data to. All you need to do to avoid having your stuff leaked online like a celebrity ( if you’re popular enough to have someone try ) Is to set a decent password or passphrase that you can remember and won’t be easy for people to guess.

Off topic but there are apps out there you can buy ( usually available for a free trial though ) that can monitor pretty much everything that happens on a device. ( note I never said YOUR Device ) That is because these apps are primarily used to keep an eye on family members to ensure they are safe online, but I believe they work as a good example of what kind of data YOU could be leaking by installing Apps from unknown sources or by rooting your device.

Mspy

https://www.mspy.com/

Tipsy

https://tispy.net/

Check them out

* Note I am no way affiliated with either of these apps and I am not being paid to promote them I just think they are good examples to show people what a user could do with access to you phone for a short period.

Okay, now it’s time to roll out the tinfoil hats ………….

Not all people that want to block people from eavesdropping on their phone calls or reading their messages are nefarious characters, or paranoid. Some people just want better privacy or to learn how to do this for educational reasons

( 8 ) Private Encrypted phone calls – Encrypted voice calls over the internet has become more popular lately due to lots of available apps that can provide this service. This provides Security against eavesdropping and electronic surveillance and can keep your conversations private.

( 9 ) Encrypted end to end messaging – Encrypted messaging does exactly what it says, It encrypts the content of a message so that only the sender and receiver can read the data. This has become commonplace even popular Apps like WhatsApp now include end to end encryption but there are other tools which also do this and have a higher level of encryption.

( 10 ) Anonymous and private internet surfing –  There are few Apps that are designed to increase the anonymity of your activities on the Internet by sending your connections over the Tor network, But there isn’t any better than Orweb and Orbot. When used together Orweb & Orbot allow you to send all your web browsing over the Tor network and maintain a high level of Privacy

( 11 ) Panic Buttons –  A Panic Button App will enable you to secretly trigger an alarm on your phone to send a prewritten text message to a predefined list of contacts know you may be in danger. There are a few of these available on The Google Play Store.

( 12 ) Data Leakage – Data Leakage is when your Android device leaks sensitive information (such as your phone number, contacts, location, etc) to other installed apps on your phone. Allowing that data to be used potentially against your wishes. X-privacy is a free App, which can stop this from happening you just have to set up its rules first.

That is it. All the best ways to ensure your privacy and security on Android Devices. you may not use all of what I have provided but all of this is to ensure you have a good idea of what can be done to keep yourself safe and secure when using your Android device.

I would like to do a course on this topic for Cybrary, but let me know if there is any more you’d like me to cover. I hope you have enjoyed this post. Comment if you have questions!

Android For Business Made Simple

With the decline of Blackberry and the increasing number of users wanting to use iOS or Android for work, this gives companies a bit of a headache due to these platforms having more complex problems than the simple deployment and management of Blackberry’s for business.

For a while, iOS has been a lot more popular than Android for companies. Many may not have been keen to embrace Android due to security concerns, But with the potential to lower business expenses and a recent increase in Security measures that myth has been dispelled. So, with Google pushing Android for Work quite heavily, I will try breakdown what you should know and help you get started.

I will quickly explain some of the things you may need to know if your company has decided to look into using Android for Business or if this is something you want to look into these are some of the things you will need to know.

BYOD (Bring Your Own Device)

BYOD has been around for a while now but while it can save the company from having to buy handsets for its users and it can cut costs it also opens up a whole new world of Security issues that need to be resolved but with some

Business Data

Business data is secure by creating a business profile on the device ensuring only that profile can access business data and data leakage policies can be enforced on the device.

Device Security

Security Standards are maintained by blocking Apps from unknown sources being installed on devices and by enforcing a minimum version of Android (e.g.) V4.0.1 Operating System on any Android build standards can be enforced by ensuring the device has specific software installed or settings configured such as……

· Whole Disk Encryption (WDE)

· Lock-screen

· Anti-Virus

· Remote Attestation (Ensuring no changes are made to the device)

There are also other apps you can have installed on the devices to ensure that ensure unapproved applications cannot run by creating a whitelist. If your company is sold on those points, then the first thing you need to do is get an Enterprise Mobility Management (EMM) provider. This can be Google directly or a third party provider. These companies can help deliver a Mobile Device Management (MDM) Solution.

Hopefully, this information helps you grasp the concepts behind what needs to be done in order to use an Android smartphone in a business capacity and maximize security to try and mitigate any potential risks to the business.

GDPR

Anyone who is not involved in the world of Information Security could be forgiven for not having heard about GDPR (General Data Protection Regulation) but if you are in this field you are more likely to have heard about it and wondered how it will affect practices in your role and across the business. I will attempt to keep this as simple as possible but most of what is in GDPR is best practice. Back in the 90’s the EU stated that all members must have Data Protection laws on the handling of personal data and the UK created DPA (The Data Protection Act 98). GDPR is standardising all of the different member nation’s different rules into one. As of 25th of May 2018 these are the new rules to come into effect Privacy by Design Privacy by Design (PbD) has been a part of EU data regulations for a while, but now with this new law, it’s all about minimizing the collection and retention of data and ensuring that consumers consent to their data being stored and processed. Impact Assessments Companies have to know exactly where all the data on the networks is located and all data needs to be classified so the company can tell what kind of data has been breached. Companies will also need to show how the data is monitored and run an analysis of the risks to their data subject’s privacy and what impact this may have. Right to be Forgotten Consumers have always been able to ask that their data be deleted and companies no longer contact them. GDPR now extends this right to include data published on the web. This is right to stay out of the public view and be forgotten. Data Leaks A new requirement of GDPR is that companies will have to notify the Data authorities of a data Breach or leak within 72 hours of being discovered. The Data subjects will also have to notified but only if the data poses a high risk to their rights, privacy and freedoms. I know what you’re thinking at this point. “But the UK voted to leave the EU (Brexit) so we don’t need to worry about this now as we are leaving the European Union.” Well you would be wrong. GDPR States that even if a company does not have a presence in the EU but collects information on people or trades with the EU, then they must meet the requirements of it. Therefore, this Law will apply to businesses outside of the EU too. “But if we are outside the EU how can they inforce this?” Well the GDPR has a serious penalty structure that could lead to fines of up to €20 million or 4% of global annual turnover for the previous financial year. That should be serious enough to make you take note if you want to continue to trade with the EU. I hope this helps simplify GDPR but if you have any questions just leave them below in the comments