Enterprise SaaS Security

Preventing End User-Driven Data Loss in Enterprise SaaS Deployments

Driven by a variety of business needs, enterprise Software-as-a-Service (SaaS) applications have become commonplace. Salesforce.com, an industry leader in customer relationship management, has more than 150,000 enterprises subscribed to its SaaS application. Enterprise SaaS services include a broad range of business applications that incorporate sensitive data, including proprietary corporate data which may be subject to various compliance regulations (e.g., personal health information (PHI) or personally identifiable information (PII)).

To date, security for SaaS applications has focused on server-side data protection. This is due to issues such as the multi-tenant nature of SaaS offerings and the external storage of databases with sensitive corporate data. In many enterprise SaaS deployments, it is common for end users of such services to be mobile. These users access the service from multiple locations, often outside the corporate network, and often utilizing their own devices (BYOD), or other devices not managed by their IT organization, including mobile phones, tablets, home computers, and laptops. This externalized nature of SaaS deployments makes it difficult for enterprise IT and information security professionals to mitigate threats, since the data is often flowing through networks and devices not controlled by the enterprise.

With the recent discovery of cybercrime kit-generated malware specifically targeting the theft of Salesforce.com data, along with the threat of theft by authorized users, the risks to enterprise SaaS applications have never been higher. Quarri enables enterprise SaaS clients customers to meet these threats, by simply and securely protecting SaaS-delivered web content at the browser from both malware and user-driven data compromise.

Quarri Data Safe enables enterprise SaaS customers to deliver an on-the-fly protected browser that prevents malware- and user-driven data compromise. The protected browser is deployed to secure only the SaaS web session. The protected browser is controlled by the enterprise IT professionals via a centrally configured policy. This policy can be configured to perform an extensive set of security controls to protect a browser session and its content from compromise.

Available security controls include:

  • Anti-malware defenses. Quarri’s browser process isolation provides zero-day defense against key loggers, screen capturers, hostile plug-ins, code injectors and process debuggers, and other man-in-the-browser attacks. This secures SaaS service login credentials and data in the browser from compromise by malware.
  • Protections against SSL man-in-the-middle proxies observing, altering or stealing session data
  • Real-time encryption of all SaaS session data, including cache content, cookies, and history, making the data usable only to the protected browser and no other processes (e.g., active malware). Upon session exit this data is deleted, leaving no session artifacts behind.
  • Information controls that allow customers to control whether end users can copy, print, save or even screen capture SaaS service-generated data in the protected browser. These security controls also extend to commonly used document viewers launched from within a browser, such as Microsoft Office and Adobe Reader.
  • Enforcing that users accessing the SaaS provider are using the Quarri protected browser, to ensure browser data protections are in place. This is done by integrating Quarri’s solution with an organization’s web single sign-on infrastructure.