OAS — The SaaS Provider Superpowers
Digital transformation is on, full power!, and with that more organizations turn to either leveraging SaaS solutions, or migrating their own capabilities to a SaaS model.
What differentiates an OK SaaS provider from a great one? We refer to those as the OAS of SaaS, the superpowers of a great SaaS provider. When you have it — you are Superman. When you don’t, you are Clark Kent holding kryptonite…
So, what is OAS? OAS stands for Observability, Security and Availability. The three pillars for achieving a great SaaS operation with common denominator — in order to achieve excellence in any of those you would need to implement a layered approach solution.
On this blog we will touch on what each of those mean, whereas in following posts we will share in more detail how we implement each of those in Transmit Security.
Observability
Every organization, and especially a SaaS one, would like to be in a position of making decisions based on data. This will work well, provided:
- You have good quality data
- Your data is well organized in a way that will allow you to benefit knowledge and insights
Your Observability stack is a critical part of your immune system — much like in Biology, this immune system needs to be able to protect you by blocking / preventing, and alert you and notify you before things go really bad, so you will have time to react and implement the right medicine.
In a nutshell the Observability stack will consist of 3 types of systems:
- Data gathering technologies — collecting and storing metrics, logs etc.
- Presentation technologies — allowing you to arrange the data in a human easy to understand dashboards
- Alerting technologies — enabling you to get push alerts based on predefined thresholds and scenarios
Availability
If your service isn’t available, it is not generating any value. In a global world that operates 24x7 there is no room for a service that is not meeting the same level of availability.
The SaaS availability is driven by many underlying components, and eventually will be determined by the weakest link in the chain. To name a few: Compute power, Network infrastructure, Code resilience etc.
To assure you meet the desired availability, you would need to implement a layered approach:
First introducing Redundancy of your components (clustering your compute resources, leveraging more than one provider, traffic multi path, geographic spread)
Second in line is Recovery, protecting your service in case of failure such as data corruption, where keeping multiple synced copies of data will not save the day
Third layer is Testing. The redundancy and recovery operations implemented must be tested (and monitored) on an on-going basis — or you will find that they failed at the worst time ever. The most common examples for glorious failures, is a backup process with no restore test, or having a DR site which never received traffic and was left behind.
When you are skipping the third layer of Testing you are losing twice — on one hand you pay for overhead of having those in place, on the other hand, when you actually need it — it is useless.
Security
As part of the increasing digital transformation, we see more audiences acquiring and using online services. As a result we have more identities available online, and more fraud opportunities. And Indeed we see the increase in account take over (ATO) attacks.
Providing a service is a big responsibility. Protecting user information is even bigger, so one should not take it lightly, especially in light of the increasing threats.
To achieve your SaaS Security, as in any of the other OAS superpowers, you would need to implement a layered approach, starting with the first line of code you run.
Code security started with secured design, going through implementation, for example code scanning and vulnerability detection as part of the development process. Whether you choose to follow OWASP or other guidelines, the important part is not to ignore the findings and when needed prioritize fixes.
Second in line is the infrastructure security. Same here, regardless of the CSPM tool you are using — don’t underestimate the findings.
Third layer is the perimeter protection you should consider. Many different technologies should be considered here, to name a few: WAF (which should also provide you with DDoS protection), VPN (Keep inside what does not need to be outside…)
Now all you have to do is to go and build your OAS. Luckily, unlike Superman, it is not a trade acquired by birth, but capabilities you can build and develop, like a muscle.
It will require hard work and dedication — but this is also part of the fun in doing it. In coming posts we will share how we build our OAS SaaS muscles and powers — a never ending journey of continuance development and improvement.
