Here’s how government CIOs can keep data secure when using SaaS

“We need to break the mindset that the government is very unique in the things we do … actually, many of the functionalities are the same,” said Kok Ping Soon, the former Chief Executive of Singapore’s Government Technology Office this May. 

He was making a case for governments to adopt software-as–a-service (SaaS) products, highlighting the availability of ready-made, subscription-based software that government agencies could help streamline everyday tasks from HR to customer management.

“SaaS tools can help organisations create new digital services and respond quickly to changing needs during periods of disruption,” says Chetan Sansare, Senior Director for Security and Regulatory Compliance for APAC, Salesforce, a leading AI customer relationship management SaaS provider.

But even as the government turns to SaaS to customise work experience and improve productivity, it is critical that government CIOs understand how to manage the security of SaaS applications, he says. Here are three ways to do so.

1. Review the security capabilities of SaaS products

First, CIOs need to fully understand and review the security capabilities and options available within SaaS products, Sansare explains. Secure data governance and management is “the key to keeping confidential information secure.” 

Like any cloud application, it is critical to review and ensure that the SaaS solution adopts ‘secure-by-design’ principles, “where the software is foundationally secure, and security is built – as a priority – into the software development lifecycle, rather than as an afterthought.” Many SaaS providers have developed products that cater to specific government requirements, with the compliance certifications to show for it.

Governments should also consider if a SaaS solution is ‘secure by default,’ which means products come ready to use with preset configurations to help users stay as secure as possible, rather than requiring them to opt in. 

Once organisations have reviewed the security foundations of a SaaS tool, they can tap on the advanced security features offered by the SaaS provider, which may include “tools to test and review security postures, track and manage security scans, and develop secure code and web apps,” he says. 

For instance, Salesforce Shield can provide Salesforce customers with enhanced encryption, app and data monitoring, and security policy automation, on top of in-built security controls, explains Sansare. These tools can further bolster the integrity and security of confidential data through best-in-class tech.

When it comes to integrating technologies like generative AI, Sansare cautions that CIOs should take the time to understand how SaaS platforms interact with these products, and whether they handle data in a manner compatible with security,privacy, and ethical obligations.

2. Monitor levels of access and control

Next, it is important for CIOs to remember that even with state-of-the-art security tools, data governance and management remains a shared responsibility, particularly for government agencies which deal with high amounts of confidential data, says Sansare.

Once SaaS products are implemented, it is important to configure the SaaS solutions in line with your own security policies, he explains. Then, CIOs need to govern access to the application following the principle of least privilege and conduct regular monitoring of access rights.

One strategy to help mitigate cyber threats is to adopt a Zero Trust architecture, which is built on the principle of least privilege. This means that users should have the minimum amount of access needed to do their jobs and nothing more, he explains. 

If a user’s credentials are compromised within this framework, it limits the potential damage that can be done within the network. Zero Trust architecture principles should encompass the domains of identity, devices, networks, applications, workloads, and data. 

A key tenet of a Zero Trust architecture is multi-factor authentication (MFA), which requires users to authenticate their identity at all critical points of interaction within systems. Salesforce also requires all of its customers to use multi-factor authentication, which can prevent 99% of automated cyber attacks – “one of the easiest, most effective actions to secure data,” says Sansare.

3. Know where your data is stored

CIOs need to ensure the data hosted on SaaS platforms is stored in accordance with government regulations and data residency requirements. 

This is a key feature of HyperForce, a reimagination of Salesforce architecture for the public cloud. Hyperforce allows highly-regulated industries, like government agencies, to leverage the benefits of the public cloud while remaining compliant and storing their data locally.

CIOs need to also ensure that data can be backed up to ensure continuity in worst-case scenarios, specific data retention requirements can be addressed and that backup locations meet regulatory requirements. 

SaaS solutions like Salesforce Backup can automatically create backup copies of business data, empowering organisations to recover data even in the worst case scenarios, and store backups of customer data at locations that meet regulatory requirements.

Finally, it is important to work with the SaaS providers for support in terms of maintenance, management of data responsibilities, and updates to the latest security features, adds Sansare.