SaaSification is about moving software and applications into the cloud, to be able to provide them "as a Service". 

A comprehensive guide on what security measures need to be applied is being developed, and validated with various providers. Our assumptions will be clarified with a couple of scenario's, that will be further developed over time.

For ISV's (independent software vendors), SaaSification is a process that requires both technical, business and marketing considerations, which have been documented. In this process, there are various security considerations to take into account. The focus of this website is to provide a shortlist of considerations which will be further expanded throughout and regularly updated, published in the guide and via the blog. The main list looks as follows :  

  1. developments Expertise 
    1. security by design 
    2. privacy by design 
    3. platform considerations : 
      1. pc - client application or webservice only
      2. mobile 
      3. other devices (IoT - surveillance camera's, ...)
    4. copy protection mechanisms
    5. authentication & identification 
    6. sales process 
    7. in line commerce offerings
  2. deployments Expertisee : as a SaaS provider, your services will be offered online, 24 by 7, 365 days a year.
    1. host your own : you have your own infrastructure which will bring a whole set of other challenges to conside
      1. datacenter security
      2. physical security
      3. network security
      4. web application security 
      5. virtualization security
      6. continuity and resilience
      7. intrusion detection 
      8. incident response
      9. standardisation & certification
    2. private cloud : your datacenter is readily equipped to provide 24/7 service online service, but engineered to connect to the public cloud for excess capacity, when required
      1. identity and access management 
      2. service authentication and application integrity
      3. tunneling 
      4. service levels and availability
      public cloud : in case you don't have your existing infrastructure, or if the cost of your infrastructure / maintenance is not in line with public offerings, you might consider directly heading to the cloud.
      1. the cloud offering differs between the various cloud service suppliers
      2. the security of the cloud provider differs
      3. in Europe there has been a baseline agreement between the various cloud providers, operators and organisations in providing a common Cloud Service Level Agreement, in the form of a Cloud Service Level Agreement Standardisation Guidelines : 
  3. fulfillments Expertise 
  4. support and aftermarket service

And probably a series of considerations, depending on the type of data, you will be working with such as : 

  1. personal (private) data : data protection regulation and legislation applies, depending on the country where the application - service is active, or hosted in at and which other partners, providers will be dealing with the data. The SaaS provider will be regarded as a Data Processor and will have to get the consent of the user for the type of activity it intends to use with the personal data
  2. transactional monetary data : if the service requires for the end user to provide his / her credit card information, and stores this data for transactional purposes afterwards, the payment information has to follow regulations such as PCI/DSS in order to be able to comply with payment services guidelines.

@Saasifisecured on twitter