While cloud computing is one of the top current trends in the IT industry, pharmaceutical sector (where the sensitive data is traditionally being protected behind corporate firewalls) has concerns about cloud security. Keeping aside the law and jurisdiction where data is held, if a SaaS (Software as a Service) vendor had considered/evaluated the risks of cloud computing and implemented various cloud security best practices, the application hosted on cloud can be as secure as it is hosted inside the corporate firewall. Irrespective of whether the service is offered on multi-tenancy or private instances, security must be implemented at every layer of the SaaS application.
Although physical security is usually handled by the IaaS service providers, OS, network and application-level security need to be handled by the application architects. Below are some quick basic security best practices we implemented in one of our recent SaaS project hosted on Amazon Web Services(AWS).
Secure your instances
AWS for example has this lovely firewall-like instance protection in the form of security groups, which are basically sets rules that specify which traffic should reach the instance(s). First and foremost thing to do is design security group(s) for the EC2 instances and permit/restrict communication on ports as required. For example: Our instance which is running an web application in a Tomcat container is in a security group (say webapp security group) with only port 8080 open to the outside World. Our MySQL instance is in a security group (say mysql security group) with port 3306 open only to the instances in webapp security group and all ports closed to others. Below is a picture from AWS Security White Paper to demonstrate protection at different tiers which makes the application highly secure.
Image courtesy of Amazon Web Services Security White Paper
Encrypt your data on file system
If any sensitive data is being stored on the instance file system or Amazon S3, it should be encrypted before saving to the cloud. Application has the responsibility to obtain the encryption key and decrypt before using the data. Also Amazon S3's bucket-level or object-level access controls can be used to avoid any unauthorised access to the data.
Encrypt your data on transit
If any confidential data is being transferred between the application web-server and the user's browser, it must be encrypted using an SSL layer. SSL certificates are issued by an external certification authority like VeriSign or Entrust.
The above list is not exhaustive and varies hugely according to the need and requirements of the service being developed. One can find more information about the AWS security and best practices from Amazon Web Services pages.