Help Clients Help Themselves: Privacy and Security in On-Premises Deployments

By Ross Saunders

When you are a SaaS provider, you have control over the software you develop, as well as the deployment processes. You are good at securing your cloud and ensuring privacy legislation is adhered to. But, what happens when you offer an on-premises or hybrid solution that clients deploy on their own (or with your assistance)? How do you ensure that the software is still being kept in a secure state and that there won’t be any collateral damage and finger pointing should something go horribly wrong?

While there is still liability and responsibility that should fall to the client here, you can assist them to a large degree in helping to secure their environments and protecting the privacy of the individuals’ data within.

Contractual Provisions

In any sort of on-premises scenario, your agreements such as a Master Services Agreement (MSA) or Service Level Agreement (SLA) should be pretty water-tight in terms of who holds what responsibility for the environment. As the security of the environment is out of your control, you also want to contractually indemnify yourself as to misconfigurations and any potential incidents arising from poor practices.

Documentation and Guidance

While the above is largely to protect yourself as the software provider, it needs to be balanced with assisting the client in securing the environment as well as you would if you were hosting it and taking responsibility for it. Simply put, you should not contract away responsibility without giving the client the tools and means to protect themselves to the same or greater levels than you would.

In this day and age, this goes beyond sending a user manual or configuration guide. Sure, those are useful, but you need to let the customer know what kind of behaviour is to be expected (and not expected) in logs, what your “secure-by-default” configuration settings are, and detailed documentation on the security settings you would enable to secure an environment.

Some of the most successful clients we’ve worked with that have on-premises offerings, have detailed libraries that clients can access, detailing the troubleshooting steps and settings their own third-line/DevOps teams would use to ensure a safe deployment.

In addition to deployment, guidance on ongoing maintenance also needs to be provided. How and when should issues be escalated, and what could the client manage themselves. Be sure to give guidance on user management, best practices, and privileged access.

Functional Support

Documentation and guidance is great, providing the client follows them. The first-prize option is to build in the functions that the client would need into the software, as well as detailed descriptions of these features.

In a “secure-by-default” kind of approach, you would secure to the maximum level as a default setting, and then allow security features to be turned off selectively per use-case. The same applies to Privacy. “Privacy by Design” (PbD) is a series of principles used in the development process to ensure that data is protected at all times. PbD’s principles are as follows:

• Proactive not reactive; preventative not remedial

• Privacy as the default setting

• Privacy embedded into design

• Full functionality – positive sum, not zero-sum (effectively, security and privacy should work together, not be a “one or the other” approach)

• End-to-end security – full lifecycle protection

• Visibility and transparency – keep it open

• Respect for user privacy – keep it user-centric

The above principles, combined with defined documentation, features that support clients, and checklists for ease of implementation, can go a long way into providing a sense of security that when clients sign your MSA’s and SLA’s, they’re still going to be getting top shelf security and privacy protections that they would expect from a Software-as-a-Service solution.

At Bamboo Data Consulting we have vast experience in the privacy and security governance of software tools, both on-premises and hosted in the cloud. Feel free to reach out to us for a consultation on your tools, and how offerings like Threat Modelling, Assurance Models, and advisory services can assist both you and your clients.