Software as a Service (SaaS) applications are increasingly popular. Many of us use them on a daily basis, so it’s important we know how to check if they are suitably secure.
To do this, the NCSC have developed a set of SaaS security principles, derived from a slimmed down subset of the NCSC’s cloud security principles. These SaaS security principles represent our judgement as to the minimum set of security attributes you should seek to understand before using a SaaS offering.
We have used the SaaS security principles to assess the security properties of a range of popular SaaS offerings. You can find these in the security reviews section below. You should read these as worked examples, demonstrating how the principles can be used to evaluate the suitability of any service you are interested in. Given that these services evolve over time, we recommend that you re-test your choice of service periodically.
As our approach provides a minimum level of confidence, your risk management processes might determine that your requirements are more exacting. This will be particularly true for workloads which you deem sensitive, or are covered by other regulations (such as PCI, DSS or GDPR).