SaaS Best Security Practices

Summary

This article summarizes key security risks associated with SaaS applications and provides best practices to mitigate them. Topics include provider vetting, MFA, least‑privilege access, encryption, monitoring, and user education to help protect Drexel data.

Body

What is SaaS? 

SaaS stands for Software as a Service. It's a cloud-based software delivery model in which software is hosted on remote servers, maintained and updated by the service provider, and made available to customers via web browsers, mobile apps, and APIs. SaaS applications are becoming increasingly popular, as they offer a convenient and cost-effective way to access business-critical software. (Source: Salesforce)

Risks of using SaaS

  • Data Breaches. SaaS providers store large amounts of data on their servers, which makes them a target for cyberattacks. If a SaaS provider is hacked, your data could be exposed to unauthorized individuals. 
  • Misconfiguration/Vulnerability. SaaS applications can be misconfigured, which can lead to security vulnerabilities. For example, if a SaaS application is not properly configured, it could be vulnerable to attacks such as SQL injection or cross-site scripting.
  • Unauthorized Access. When using SaaS, it increases risk of user account takeover. This risk is partly related to SaaS being exposed to the Internet. Geographic restrictions are not common in SaaS services, enabling brute force and other credential-based attacks to originate from anywhere.
  • User Error. SaaS applications are often used by multiple users, which increases the risk of human error. For example, a user could accidentally click on a malicious link or share their password with an unauthorized individual.

Best Practices 

  • Vet the provider. Before you adopt a SaaS application, it's important to vet the provider to ensure that they have strong security practices in place. You can do this by contacting Third Party Risk Management (TPRM) at tprm@drexel.edu to perform a security review. TPRM will review the provider's security policies and procedures, and ask them about their security measures.
  • Enable strong authentication. This includes using multifactor authentication (MFA) whenever possible. MFA adds an extra layer of security by requiring users to provide two or more pieces of evidence to verify their identity.
  • Use strong unique passwords and don't share them. Use strong, unique passwords for your SaaS applications, and don't share them with anyone. You should also change your passwords regularly. Learn more about Drexel's password requirements.
  • Follow role-based access control. Enforce principle of least privilege. Periodically review any accounts that have privileged or administrative access and remove old, unused or unrecognized accounts.
  • Encrypt and backup your data. Data encryption is essential for protecting your data at rest and in transit. SaaS providers typically offer encryption, but you should also encrypt any data that you store or transmit outside of the SaaS application. Store data backups outside of the SaaS platform and ensure they are functioning correctly.
  • Use antivirus and malware protection. Identify and block malicious software. Ensure your machine is running Drexel's provided/approved AV solution.
  • Ensure a secure connection. Use Drexel's VPN (drexel.edu/it/connect/vpn) which provides a secure, encrypted connection from Drexel's on-campus network services.
  • Enable audit logging. Ensure detailed logs are available and retained for investigations.
  • Monitor login anomalies. Regularly review activity logs for suspicious behavior and unusual login patterns, such as impossible travel and brute force attempts.
  • Monitor data sharing. SaaS applications often allow users to share data with others. It's important to monitor data sharing to ensure that only authorized users have access to your data. Ensure the SaaS provider does not retain data longer than necessary.
  • Keep your software up to date. SaaS providers regularly release software updates that fix security vulnerabilities. It's important to install these updates as soon as possible to protect your applications from attack.
  • Be aware of phishing attacks. Phishing attacks are a common way for attackers to gain access to user accounts. Be aware of phishing emails, and don't click on links or open attachments from unknown senders.
  • Educate users about security. Users are the first line of defense against security threats. It's important to educate them about security best practices, such as strong passwords and phishing attacks. Report any suspicious activity to the security team.
  • Use the features provided by the SaaS application to protect your data. For example, many SaaS applications allow you to encrypt your data, set permissions, and track user activity.
  • Report any suspicious activity to the security team. If you see anything that doesn't seem right, such as unauthorized access or suspicious activity, report it to the security team immediately at informationsecurity@drexel.edu.
  • Only use SaaS applications from reputable providers. Do some research before you sign up for a SaaS application to make sure that the provider has a good reputation for security.
  • Read the terms of service and privacy policy carefully. This will give you an understanding of how the provider collects, uses, and protects your data. Contact the Office of General Counsel and Privacy Program Services for legal and privacy review.
  • Be aware of the risks of using SaaS applications. SaaS applications are convenient and cost-effective, but they also introduce new security risks. It's important to be aware of these risks and to take steps to mitigate them.

Details

Details

Article ID: 20224
Created
Fri 3/27/26 11:23 AM
Modified
Fri 3/27/26 2:20 PM

Related Articles

Related Articles (1)

Desktop Software Best Security Practices
This article highlights common security risks associated with desktop software, such as outdated software, malware, misconfiguration, and data breaches, and provides best practices to reduce those risks. Guidance includes using trusted sources, keeping software updated, enforcing strong authentication, encrypting and backing up data, using Drexel‑approved security tools, and reporting suspicious activity.

Related Services / Offerings

Related Services / Offerings (1)

Third Party Risk Management
This service is provided by the Information Security Office. In order to protect the Institution and the Institution's systems, departments and/or individuals should complete this form to initiate a security assessment where a third-party software/service will store/process/transmit institutional information as defined in the Information Security for Institutional Information Policy (IT-8). This is intended for use by Institution personnel and should be completed by an organizational unit [Requester] within the Institution. Kindly engage your college or central IT professional while completing this form. Early IT involvement during third-party risk/security assessments often improves risk/security assessment quality and reduces unnecessary delays in the process. This process will assist the Institution in preventing breaches of institutional information and comply with Institutional policies, state, and federal laws.