Securing SaaS tools for your organisation

Follow this guidance if you’re responsible for choosing, buying and managing Software as a Service (SaaS) tools in your organisation.

Software as a Service (SaaS) tools are also known as cloud-based applications, open internet tools, web tools and cloud tools.

The UK government has a cloud first policy and commercial SaaS tools can improve collaboration, project management and productivity of your organisation.

What to do before buying SaaS tools

Your organisation will have shadow IT users who are using commercial SaaS tools for work purposes. Many commercial tools have free trials, which end users often sign up to.

You should take steps to identify, size and manage this shadow cloud footprint. By researching what your users are already using and finding out what they need, you can provide them with appropriate SaaS tools. You also need to assess and manage the risk posed by SaaS tools to:

  • avoid data security breaches
  • manage disaster recovery
  • meet your record management obligations
  • migrate away from the tools, if needed

You should talk to your security team early in the process to identify and assess the information and data protection risks of using a SaaS tool. You should consult your Data Protection Officer, Security Officer or Information Governance Manager in your organisation.

You must use SaaS tools in ways that comply with the:

SaaS tool use must also comply with the UK government’s Security Policy Framework (SPF). The SPF describes how UK government organisations and third parties need to handle government information. The Minimum Cyber Security Standard helps organisations to clarify the expectations of the SPF.

Choosing SaaS tools

When choosing a tool, you should work with your security and Knowledge and Information Management (KIM) teams so you can:

Your SaaS tool should let you track user activities and help you respond to FOI or subject access requests. For example, select a tool that lets you:

  • create an audit trail to see when information was used, amended and deleted
  • delete and retain specific information in accordance with your organisation’s disposal and retention policies
  • search through content so you can look for specific information

Consider using the paid-for version of tools so you have all of the security, management and auditing features you need.

Configuring SaaS tools

When configuring SaaS tools for an organisation, you should:

  • integrate SaaS tools with your existing cloud identity systems and provide Single Sign-On (SSO) for users, where possible
  • use multi-factor authentication and make sure users set up strong passwords if integration to identity systems or SSO is not possible
  • set sharing and public access settings to ‘off’ or ‘private’ by default to make sure only authorised users can access data
  • create organisation-wide accounts for your workforce to minimise shadow IT, use self-enrollment or auto-enrollment where available to help with this
  • make sure the SaaS tool has an appropriate joiner, movers and leavers process, which fits into your existing process
  • restrict accounts to approved groups, for example anyone with your organisation’s email address
  • allow users to share information with individuals outside your organisation in a managed and auditable way
  • make sure tools are only accessible from work managed devices unless your organisation has a bring-your-own-device BYOD policy
  • configure end user devices accessing the tool by following official supplier information

Managing SaaS tools

Once you have rolled out SaaS tools to users, you should manage them by:

You should also make sure you can remove any accounts when someone leaves your organisation. For example, by removing accounts attached to an individual’s work email address or by adding a centrally-owned account as an administrator account.

Migrating from a SaaS tool

Migrating data away from a SaaS tool can be a complex process and you need to comply with legal requirements. If you decide to stop using a SaaS tool, you must:

  • update your data processing records - for example, your DPIA
  • migrate all information to your main storage system and securely delete all information from the tool you no longer use
  • contact your security team for help with any migration queries

You may also have to ask your SaaS tool supplier to delete data securely and they should confirm they have done this. Your security team can help you with this process.

Published 22 February 2019