How Saas Cloud Services Protect Data Security

Date: Oct 27, 2022

Related Tags：1. Alibaba Cloud Security Services
2. Security Center

Abstract: In the cloud era, our tests and protection in disaster recovery construction and data security.

Recently, a SaaS service provider/Weimeng encountered employees who deleted the database and ran away, and a large-scale failure of the server caused the business of millions of merchants on the platform to basically stop for a while. After this incident, both manufacturers and users on the platform are going through a very difficult time.

According to the official information, after more than a week, the data has been fully recovered and the official launch has been resumed. In response to the impact of the accident on platform users, the company has prepared a special compensation plan.

In social media and professional forums, this incident has also become a topic of discussion among many technicians. It took more than a week for the data to be restored. Some people speculate that the backup database may also be deleted at the same time. In essence, this also reflects data security management. The mechanism is not sound enough.

As a practitioner who has been in the field of IT technology for many years, I was quite shocked when I heard the news. The database was maliciously deleted and the recovery time was long. I knew exactly what this meant for enterprise users. I also want to talk to you from this wake-up call, the cloud era, our tests and protection in disaster recovery construction and data security.

SaaS applications, neglected data security

Originally, the need for the prevention and control of the new crown pneumonia has driven the cloud office of 200 million people in China. Compared with various fancy marketing battles, this database deletion incident is more worthy of alertness. This is not just the market value of a cloud service manufacturer evaporated. There are also economic losses for millions of users, especially because of the network security debt exposed here, which many domestic companies have generally ignored and paid little attention to in the past.

As far as my own field of work is concerned, I have been working in the HR SaaS industry for more than ten years. From the perspective of both the supply side and the demand side, many companies still have many data security risks in business applications in the process of practice. .

For example, many domestic SaaS manufacturers consider the operation and maintenance team to be a cost center and do not pay attention to information security, so they continuously reduce investment in this area. Only when they encounter pain, will they temporarily increase investment to make up for the loss. But we know that if it does happen, the price will be painful every time.

On the demand side, when choosing SaaS products, many companies will pay more attention to whether the product looks good or not, and whether it is easy to use or not, but it is easy to ignore security considerations. In addition, some enterprises implement localized deployment in order to ensure security, but after localization, system security will become more vulnerable.

The Internet in China is developing very fast. SaaS is the largest segment of the cloud computing market. In recent years, it has prospered and more and more organizations have turned to software as a service (SaaS) as a way to solve enterprise needs. method. The epidemic has also contributed to the purchase of SaaS applications by domestic enterprises.

Cloud transition, data security is also a priority

For our practitioners, we are very happy to see more and more Chinese companies purchase SaaS products to improve productivity, but we sincerely suggest that data privacy and security should be a priority that cannot be ignored when purchasing. Share some of our daily practices and countermeasures as a SaaS service provider:

First, decentralize control authority and do a good job in the division of labor

Do a good job of minimum authority management (the principle of least authority), 3 people and 3 keys, each person can only open his own box, and 3 people can open the complete box together at the same time. In daily management, focus on special privilege accounts and VPN privilege management.

Second, strengthen security controls for access to production systems

Establish a data security governance system and continuously optimize it, conduct pre-approval, in-process control, post-audit, and regular reporting of operation and maintenance behaviors to avoid malicious and misoperation of operation and maintenance personnel, and ensure efficient approval and accurate execution.

R&D personnel are not allowed to directly tamper with the data layer. Each direct access to the production system must pass a specific approval and be coordinated by full-time operation and maintenance personnel for read-only operations. The supporting process management system and approval mechanism ensure that the key person in charge understands each online operation and keeps the operation log well.

Third, take preventive measures technically and attach importance to the protection of data assets

Cooperate with professional security vendors to conduct regular security scans to strengthen the software and hardware security prevention and control capabilities of production systems.

Data backup of the production environment is carried out on a regular basis. The data center of Kennexa adopts disaster recovery technology and has a 2-site 3-backup system to ensure high availability of the system. The traditional backup system restores data from the B side to the A side, and many aspects such as data capacity, transmission speed, and disk performance will restrict the restoration time during the process. Disaster recovery technology can directly run available systems on the B side, greatly reducing downtime.

Regular security drills can also improve the team's ability to deal with emergencies, and can also verify the integrity of backup data during the process, avoiding that sometimes when everything is ready, it is found that the backup data is damaged and cannot be restored normally.





last words

What is the premise of data security? It is the data that is well stored in the server and that the system works well. If this premise is gone, there will be no so-called data security.

In the company I serve (domestic human capital management cloud service provider), we see that many companies in the domestic market are actively migrating to the cloud, and the iteration of human resource management SaaS applications is accelerating. Seeing these prosperity, we cannot take data security management lightly, because the platform does not carry a few people, but large and small companies. This is what we insist on the first day we provide SaaS services to our customers, and data security management is never trivial.