Are you creating a security system for a SaaS application? This article is here to help! It lists the important questions to ask from the beginning of your project to avoid security breaches or functional limitations that will hold you back later.
The security of a SaaS application should combine both strength and flexibility:
System strength will guarantee application security by:
System flexibility will contribute to the development of your business by:
Initially, you may be managing users and access rights yourself.
As the volume of users increases, you – and your clients – may wish to delegate certain administration rights so that your clients are managing their users and accounts themselves.
Visual Guard proposes:
Visual Guard WebConsole Administration Dashboard
Visual Guard WebConsole User Management
To read more about this administration interface:
If you develop a multi-tenant Saas application (a single instance of the application used by multiple clients), you should restrain client administration rights to their own user accounts: you don’t want them to be able to modify another client’s accounts!
More generally, Visual Guard restricts delegated access rights in three ways:
If your product catalogue is composed of a suite of applications, Visual Guard allows you to provide Single Sign-On features (SSO) to simplify your user’s experience:
The Visual Guard SSO system includes the following functionalities:
1 – User session management:
When the user passes from one site to another, the Web SSO system:
Note: The Visual Guard Web SSO includes mechanisms to manage security tokens (to create, transfer and secure the tokens). These mechanisms are optimized to avoid performance issues (for example, it doesn’t “simply” authenticate a user and then reload their security for each page visited: the response times would become too long when the number of visits increases).
2 – Provide a front-end for the Single Sign-On system:
The front-end of the Visual Guard Web SSO:
When the user connects to the first site, they will access the login windows where they will choose the type of account and enter their credentials
The user can choose to save certain credentials. On their next visit, they can use the account memorized in the system
3 – Facilitate the integration of applications into the SSO system:
4 – Support for complex configurations:
The Visual Guard Web Single Sign-On supports the following situations:
In each case, Visual Guard automatically handles specific constraints. You will find more information on the page Web Single Sign-On (SSO) with the Visual Guard Web Portal
The majority of SaaS applications require that you create a new account for each. The problem is that users already have multiple accounts, which generate significant support costs for companies (see The Real Cost of Passwords).
Certain clients may wish to reuse their existing user accounts (for example, their Windows accounts). Visual Guard allows you to give access rights to your applications to accounts managed by other organizations. Thus, you can federate user accounts from several clients or or partners and define their access rights to your system.To read more on federating user accounts and managing their access rights:
The administration interface must be conceived to manage large numbers of users and access rights (to guide the administrator performing operations and searches, optimize the response time of the security repository…).
When the application is put in to production, the user authentication process and the calculation of their access rights must be optimized to avoid long wait times. For example, a system that needs to access the security repository each time a user opens a new page has a greater chance of performance issues when the number of users and page views increases:
Case 1: Default SaaS model.
Customers pay to use your application on a time-limited, recurring basis.
Business model: pay-per-use
Case 2: For security or technical reasons, customers may request that you install the application in their environment. Users access it via LAN or Internet.
Business model: pay-per-use
Case 3: Clients wish to reuse their user accounts (for example, their Windows accounts).
The access control system should therefore be able to give existing accounts access to your SaaS applications.
Business model: pay-per-use
Case 4: Classic software delivery model. The client owns a copy of the application. They manage access rights themselves.
The software vendor can add this model to their catalog (in addition to a SaaS model) to increase their product offering.
Visual Guard is easily deployed to clients (simple and sound administration tools, completed documentation…).
Business model: pay-per-use or perpetual license
The majority of projects write application code to define how to apply user permissions. For example, according to the role of the user, this code will deactivate a menu, hide a control, filter a list of data…
As a result, if we want to change the application security (adding new restrictions, for example), we need to perform a full development cycle (design, coding, test, deployment).
Visual Guard has developed an innovative technology to eliminate these inconveniences and completely separate security from business logic:
This solution has the following benefits:
To read more:
How to add permissions
to an application in production
How to integrate Visual Guard
in an existing application
If your business model is based on a pay-per-use SaaS model, or includes temporary use rights, Visual Guard allows you to offer:
Visual Guard’s administration interface has been designed to easily manage large numbers of users and access rights (guides an administrator performing operations and searches, optimizes the response time of the security repository…).
When a SaaS application is in production, the Visual Guard processes that authenticate the user and calculate their access rights is optimized to avoid long wait times (the system does not need to access the security repository each time a user opens a new page, and so avoids performance issues when the number of users and page views increases).
Since a SaaS application is accessible via the internet and manages client data, Visual Guard has created a system that is not vulnerable to the most common types of attacks:
Unauthorized access to security data:
Denial-of-service: Visual Guard includes protection against attempts to make it unavailable to customers by saturating it with numerous logon requests.
Unauthorized administration operations: a user could discover how to access the administration interface or the APIs that manage access control. Visual Guard blocks illegally giving supplementary access rights to user accounts.
Interception of confidential information:
Password cracking: Visual Guard allows you to define a sophisticated Password Policy to protect against password cracking (guessing a password via trial and error).
Packet sniffing: Visual Guard includes a protection against the capture of data packets to find passwords or security tokens in transit over the network. A hacker could steal these tokens to make calls to the system as though they were a legitimate user.
SQL injection: The Visual Guard Administration console contains search fields – for example, to find a user account. It is pre-armed against SQL injections, which consist of inserting parts of SQL statements in the search field, with the goal of consulting confidential information, or illegally changing the security data.To read more about Visual Guard security:
Timeframe is key: we’ve seen in this article that security and access control for SaaS applications involve complex functionalities. For an internal project, they require a significant time commitment and skilled developers.
If you are working in a limited timeframe or the required expertise is not available, a ready-to-use access control solution like Visual Guard is your best solution.
Risk management: Visual Guard limits short-term risks (cost and time overruns, bugs and security breaches), while providing for other long-term challenges:
Why not combine all these advantages? The Visual Guard team is attentive to their users’ needs when choosing how to continually evolve their application with the market. You benefit from the advantages of a standard solution (more stable and complete at a lower cost) while being able to influence future development to better cover your specific needs.