Securing SaaS tools for your organisation
Follow this guidance if you’re responsible for choosing, buying and managing Software as a Service (SaaS) tools in your organisation.
Software as a Service (SaaS) tools are also known as cloud-based applications, open internet tools, web tools and cloud tools.
The UK government has a cloud first policy and commercial SaaS tools can improve collaboration, project management and productivity of your organisation.
What to do before buying SaaS tools
Your organisation will have shadow IT users who are using commercial SaaS tools for work purposes. Many commercial tools have free trials, which end users often sign up to.
You should take steps to identify, size and manage this shadow cloud footprint. By researching what your users are already using and finding out what they need, you can provide them with appropriate SaaS tools. You also need to assess and manage the risk posed by SaaS tools to:
- avoid data security breaches
- manage disaster recovery
- meet your record management obligations
- migrate away from the tools, if needed
You should talk to your security team early in the process to identify and assess the information and data protection risks of using a SaaS tool. You should consult your Data Protection Officer, Security Officer or Information Governance Manager in your organisation.
You must use SaaS tools in ways that comply with the:
SaaS tool use must also comply with the UK government’s Security Policy Framework (SPF). The SPF describes how UK government organisations and third parties need to handle government information. The Minimum Cyber Security Standard helps organisations to clarify the expectations of the SPF.
Choosing SaaS tools
When choosing a tool, you should work with your security and Knowledge and Information Management (KIM) teams so you can:
- follow the National Cyber Security Centre’s (NCSC) guidance on SaaS tools to check security of the tool
- check the tool meets the NCSC’s Cloud Security Principles
- only choose tools that allow users to sign in using HTTPS
- carry out a Data Protection Impact Assessment (DPIA)
- check data control settings within the tool and make sure you can retrieve or remove the data in a safe way if necessary
- use offshoring agreements if any data is held or operated outside of the UK - check with your IT team for advice get approval to use the tool if sensitive information (both personal and business) is being held in the European Economic Area (EEA) or beyond
Your SaaS tool should let you track user activities and help you respond to FOI or subject access requests. For example, select a tool that lets you:
- create an audit trail to see when information was used, amended and deleted
- delete and retain specific information in accordance with your organisation’s disposal and retention policies
- search through content so you can look for specific information
Consider using the paid-for version of tools so you have all of the security, management and auditing features you need.
Configuring SaaS tools
When configuring SaaS tools for an organisation, you should:
- integrate SaaS tools with your existing cloud identity systems and provide Single Sign-On (SSO) for users, where possible
- use multi-factor authentication and make sure users set up strong passwords if integration to identity systems or SSO is not possible
- set sharing and public access settings to ‘off’ or ‘private’ by default to make sure only authorised users can access data
- create organisation-wide accounts for your workforce to minimise shadow IT, use self-enrollment or auto-enrollment where available to help with this
- make sure the SaaS tool has an appropriate joiner, movers and leavers process, which fits into your existing process
- restrict accounts to approved groups, for example anyone with your organisation’s email address
- allow users to share information with individuals outside your organisation in a managed and auditable way
- make sure tools are only accessible from work managed devices unless your organisation has a bring-your-own-device BYOD policy
- configure end user devices accessing the tool by following official supplier information
Managing SaaS tools
Once you have rolled out SaaS tools to users, you should manage them by:
- setting user privileges
- offering a central point of contact for users to ask questions
- giving users training to help them use the tools securely, for example help in managing passwords and not sharing accounts
- making sure any operating systems, apps, or browsers your users use to access the tools are up to date
- monitoring audit logs and investigating any suspicious activity
- taking steps to protect any personal data
You should also make sure you can remove any accounts when someone leaves your organisation. For example, by removing accounts attached to an individual’s work email address or by adding a centrally-owned account as an administrator account.
Migrating from a SaaS tool
Migrating data away from a SaaS tool can be a complex process and you need to comply with legal requirements. If you decide to stop using a SaaS tool, you must:
- update your data processing records - for example, your DPIA
- migrate all information to your main storage system and securely delete all information from the tool you no longer use
- contact your security team for help with any migration queries
You may also have to ask your SaaS tool supplier to delete data securely and they should confirm they have done this. Your security team can help you with this process.