Software as a Service (SaaS) applications can offer a company considerable cost and operational benefits, but a major concern — especially in a regulated industry — is losing control of the data security leaders give to their SaaS providers. More specifically, by using SaaS applications, security leaders lose control over:

• The infrastructure that hosts data
• The people who can access data
• The security policies that govern the operational use of data
• The location and sprawl of data as it’s copied and moved to different systems and geographic locations

Furthermore, most SaaS providers commingle data with that of other companies in the same data stores. This increases the risk of inadvertent access by other users of the SaaS application should there be any software bugs or misconfiguration.

To address these concerns, SaaS providers are starting to offer data encryption with Bring Your Own Key (BYOK) technology. The benefits of using BYOK technology with SaaS application include the following:

• Additional controls over data residing in SaaS applications to better enforce compliance with data privacy or residency requirements.
• An extra layer of protection beyond typical data protection methods.
• Cryptographically “shred” data when security leaders stop using the SaaS application — or at any time — at their discretion

While many SaaS providers have already recognized the value of offering BYOK capabilities, some still believe their existing data security controls are sufficient without giving their enterprise customers control of their own encryption keys. In order to better assess their mitigating controls in the context of current security and compliance requirements, here are a few questions to ask:

What technical controls are in place to ensure that no one can see data without authorization?

SaaS applications typically provide some access control capabilities that prevent one user from seeing the data of another user. In most cases, this multi-tenant access control is implemented in the application itself and does not extend beyond the application as the end user data is stored, copied, or backed up.

The risk with such controls is the presumption that the software is infallible. Should there be any bugs in the software or vulnerabilities, the separation between tenants can be readily breached. Furthermore, since all tenant data are typically commingled in the data stores, there’s virtually no separation of access when data is accessed through administration interfaces or tools. Suppose a support ticket filed by another company required the SaaS admins to directly review the application tables in the database. Nothing prevents the same admin from deliberately or inadvertently seeing data even though they didn’t file the request. 

If data was encrypted with BYOK capabilities, the admin would only be able to access data for the customer that granted such access for debug or diagnostic purposes. The data would remain safely encrypted and unaffected by the activities required for another tenant. 

In the unlikely event that data is compromised, what steps will be taken to mitigate the scope of the data breach?

It’s important to discuss what steps the SaaS provider will take if data is exposed to unauthorized people, whether the exposure is due to a deliberate cybersecurity attack or inadvertent failure in processes and controls.

With that understanding, it’s also essential that an organization has a plan of action should a SaaS-based exposure issue occur. At the end of the day, the company — not the provider — will have to answer to customers and deal with potential non-compliance fines due to violation of data privacy laws and regulations.

What happens to data after?

Encrypting data with BYOK capabilities eliminates the guesswork around whether or not data was completely purged. The destruction of keys will “virtually shred” all data regardless of where it may have been copied or backed up.