How to Increase Security in a SaaS Solution
Wednesday, May 14, 2008 by Katrine Grytter | Tips and Tricks
With simple means you are able to increase the security in an internet-application. The below mentioned advice and tips apply for not only TimeLog Project but all other SaaS solutions and most of the advice also applies for IT-systems in general.
1. Have a security policy
Have some overall guidelines for using the SaaS-solution and for handling security. Communicate your safety policy to all employees – and be sure to explain why you have these policies. Communication is especially important when having a strict policy, otherwise, employees might think of it as harassment of employees which can make them counteract the policy.
Keep the security policy as simple as possible and avoid long technical explanations. The most important thing to remember when it comes to security policies is that it should be easy to explain to the employees. A simple security policy is much better than a complex and technical oriented policy.
2. Give guidelines for passwords
Too many users have unsecure passwords. Make rules for passwords in your security policy.
In TimeLog Project’s system administration you are able to set up rules for what kind of passwords that are allowed. Make sure that simple passwords are not possible to use (e.g. few characters, same password as user name etc.) and that there are demands for the length and variation of the password.
Besides being too simple, another typical mistake is that the employees use the same passwords both in private and at work. Explain in the security policy why this is a bad idea.
3. Make sure your employees are careful when using the internet
Vast the majority of security defects is due to carelessness from the employees – and not external attacks against the company. Passwords are written on yellow post-its placed on the employee’s monitor, employees are visiting “unsecure” websites, employees are clicking on links in spam mails etc. All this increases the risk for security problems. Therefore, it is crucial to inform the employees on how to use their server and PC in a secure way.
4. Make sure to deactivate former employees’ access
Former employees can be a source for security problems. That is why it is important to deactivate former employees’ access to all IT-systems on the same day as they leave the company.
5. Avoid “master” passwords
It is a bad idea to give all employees the same password when introducing a new IT-system – or having a general password which is used in the company. It is even worse to have a specific system for making new passwords.
6. Have an updated spam filter and antivirus
Always have an updated antivirus software on all client machines and make sure that the company’s mail service is scanned for spam mail. In that way the majority of all unwanted mails is removed.
7. Only use encrypted access
TimeLog Project can be submitted to be both encrypted (https) and non-encrypted (http). In TimeLog Project’s system administration you are able to deactivate non-encrypted access. This is the default setting, however, there can be several reasons for the fact that there is opened up for a non-encrypted access. Make sure that TimeLog Project is only used via an encrypted connection unless your company has special needs that do not make this possible.
That is how easy it is – and if your company makes use of these pieces of advice, you will be able to avoid most of the security problems.
Back