Strengthening SaaS Security with Virtual Private Clouds (VPCs)

Strengthening SaaS Security with Virtual Private Clouds (VPCs)

In this blog post, let’s explore how SaaS providers can leverage VPCs to create isolated network environments, safeguard customer data, and enhance compliance with data privacy regulations.

Let’s say I developed a SaaS tool for healthcare providers. The tool is for managing administrative tasks, appointment scheduling, updating patient medical records, and patient billing - one place to streamline all of the patient management. I have thousands of customers globally using this tool. However, I need to make sure that patient data is secure, compliant with HIPAA laws, and only accessible to the applicable staff and doctors for that specific customer. For example, a chiropractor’s office in Los Angeles uses my SaaS tool, and a dermatologist office in New York is also a customer of mine. These two healthcare providers should not be able to access each other’s data, nor should they even know about each other. Each healthcare provider trusts my SaaS tool to manage their day-to-day operations efficiently. However, with sensitive patient data at stake, it's imperative to safeguard this information and ensure that it remains accessible only to authorized personnel within each organization. In order to do this, let's dig into the capabilities of VPCs in order to illustrate how you can safeguard patient privacy, maintain regulatory compliance, and instill trust and confidence in your healthcare SaaS platform among both providers and patients.

Why using a VPC is better than a VPN or VLAN

Let’s take a look at how we would secure our healthcare app. SaaS providers typically operate multi-tenant environments where multiple customers share the same underlying hardware. In the healthcare management example above, various healthcare providers, ranging from small clinics to large medical facilities, access the SaaS platform to streamline their administrative tasks, manage appointment schedules, and handle patient billing. While this shared model offers cost-efficiency and scalability benefits, it also introduces security challenges, particularly concerning data isolation and access control.

There's a few options here for network security. Let’s compare using a VPN, VLAN, and VPC with this architecture.

If we use a VPN for network security, we’d be able to provide secure remote access to healthcare resources. Whether it's accessing electronic health records (EHR), collaborating on patient care plans, or communicating with colleagues, healthcare professionals can rely on VPNs to ensure confidentiality and integrity in their interactions. However, VPNs extend the organization's network perimeter to external devices, including personal laptops, tablets, and smartphones. While this enables seamless connectivity for remote workers, it also introduces security risks associated with exposing internal resources to external threats. To mitigate these risks, organizations must implement robust security measures to protect VPN endpoints and safeguard sensitive data. This includes strong authentication, encryption, access controls, etc. Most of these will cost extra. And although VPNs can provide secure remote access to the healthcare app, most of the time the app users (doctors, nurses, staff) will be in the office and not remote, so VPNs may not be the best solution here.

If we use a VLAN, we can segment traffic based on departments or functional groups. For example, you might allocate VLAN 10 for administrative staff and VLAN 20 for nurses, doctors, and physicians assistants. Administrative staff would have access to patient billing and appointments, but not have access to medications, and highly sensitive patient information. However, VLAN architecture proves challenging when it comes to scaling. Adding new VLANs or expanding existing ones may require additional switches, routers, and cabling, as well as careful planning to avoid network congestion and performance issues. As a result, scalability may be constrained. It’s also harder to meet compliance requirements when you use VLANs. Although you have this network segmentation, you may not be able to address all aspects of GDPR compliance, like data encryption, audit logging, or geographic restrictions. As a result, you may struggle to demonstrate compliance to regulatory authorities or face potential penalties for non-compliance. In a healthcare environment, this just won’t work.

If we use a VPC, we’d wrap each VM with a VPC. VPCs enable us to define custom networking configurations, implement access controls, and establish private communication channels, safeguarding sensitive healthcare data from unauthorized access and external threats. Within each VPC, we’d add firewalls to control inbound and outbound traffic to our virtual machines and resources. Firewalls allow us to define and enforce granular security rules based on IP addresses, ports, and protocols, thereby mitigating the risk of unauthorized access and cyber threats. This is a great way to ensure that doctors' offices don’t have access to each others’ patient records and ensure compliance. By deploying these applications within separate VPCs, we ensure that each environment remains isolated from the others. You also get encryption at rest.

VPCs also enable SaaS providers to create isolated network environments for each customer or group of customers. Within their dedicated VPC, each customer's data and resources are logically separated from those of other tenants, ensuring that sensitive information remains segregated and protected from unauthorized access or interference.

Here’s how I would secure my healthcare app with VPCs: I would create a dedicated VPC for each healthcare provider, ensuring that their data and resources are logically separated from other tenants.

The chiropractor’s office in Los Angeles has their own VPC, and the dermatologist in New York has their own VPC. Within each VPC, I would configure custom network settings, including subnets, tailored to the specific requirements of the healthcare provider. This network isolation ensures that patient data remains segregated and protected from unauthorized access, thereby minimizing the risk of data breaches or privacy violations. Access to patient records, and sensitive healthcare information is restricted to authorized personnel within that specific healthcare provider's organization, based on predefined roles and permissions. That means that for my application, a doctor’s office in Los Angeles will not be able to see or access data from a doctor’s office in New York. They are two separate entities, two separate customers, each on their own VPC.

VPCs also enable SaaS companies to have granular access controls. You can define security groups, network access control lists (ACLs), and cloud firewall rules to regulate inbound and outbound traffic. By enforcing strict access policies within the VPC, SaaS providers can restrict access to customer data and services based on predefined rules, mitigating the risk of unauthorized access or data breaches. In my healthcare app example, I could make patient billing only accessible to office administrators, or vaccination records only accessible to parents or legal guardians. This adds another layer of security to my SaaS app.

Encryption and Compliance

In addition to network isolation and access control, SaaS providers must implement encryption mechanisms within the VPC to protect data in transit and at rest. This additional layer of security ensures that sensitive information remains confidential and inaccessible to unauthorized parties, thereby bolstering data privacy and compliance with regulatory standards.

When data is transmitted between users and the SaaS platform, it traverses various network pathways, including public internet connections, which may be susceptible to interception or eavesdropping by malicious actors. By encrypting data streams within the VPC, SaaS providers can render intercepted data unreadable, thereby mitigating the risk of unauthorized access or disclosure. This encryption process involves encoding the data using cryptographic algorithms, making it indecipherable to anyone without the appropriate decryption key.

Similarly, when data is stored within the SaaS platform's storage infrastructure, it is vulnerable to unauthorized access or breaches if adequate security measures are not in place. By encrypting storage volumes at rest within the instances of the VPC, SaaS providers can ensure that data remains protected even if physical storage devices are compromised. Encrypted data stored within the VPC is unintelligible without the corresponding decryption key, effectively safeguarding sensitive information from unauthorized disclosure or tampering.

For example, the customers using my healthcare SaaS app can rest easy knowing their patient information is encrypted. Within the VPC environment, sensitive patient data, such as current medications, billing information, and medical history, should be encrypted to ensure confidentiality and compliance with healthcare regulations. Each piece of sensitive information is encrypted before transmission or storage, thereby reducing the risk of data breaches and enhancing trust in the SaaS platform's security practices.

This proactive approach to security not only enhances data privacy and compliance but also strengthens the overall integrity and trustworthiness of the SaaS platform.

To VPC or not to VPC? That is the question.

Now, let’s compare this architecture to the same healthcare app not using a VPC. Data security instantly becomes more challenging. How would we ensure that patient records from one doctor’s office are not accessible by patient records from another doctor’s office? We would have to rely heavily on traditional security measures like firewalls and access control lists to protect data. This approach could work when you’re dealing with non-sensitive data. However, because we’re dealing with highly sensitive patient information, medical records, and billing information, this may prove challenging. Also, data transmission over the public internet introduces risks like interception and eavesdropping. Meeting stringent regulatory standards, such as HIPAA, becomes increasingly difficult in the absence of granular control over network traffic. If you don’t use a VPC, Compliance efforts may be hindered by the lack of visibility and control inherent in traditional architectures.

In contrast, SaaS applications, especially ones dealing with sensitive information, that use VPCs can benefit from a heightened level of security, control, and compliance capabilities. From enhanced isolation and granular control to advanced security measures and streamlined compliance efforts, the benefits of leveraging a VPC are indisputable.

Conclusion

VPCs play a crucial role in enhancing security and compliance for SaaS providers and their customers. By leveraging VPCs to create isolated network environments, SaaS providers can safeguard customer data, enforce access controls, and demonstrate compliance with data privacy regulations. SaaS providers can also utilize VPCs for security to deliver secure and reliable services to customers worldwide.

More Resources

Connect with the Akamai team and fellow users in the Akamai VPC discussion group dedicated to our VPC feature (click here to sign up if you’re not a member).

You can also check out our VPC documentation for more information and help getting started.

Thanks for reading! For all things cloud, follow me by clicking the follow button at the top of this page, subscribe to my newsletter below, and follow me on Twitter!