Here is an in-depth blog on data protection in SaaS applications: http://www.son.web.id/2007/08/16/securing-data-in-hosted-applications/

Although this article does not discuss securing the data transfer from the client to the server, it does go into quite a bit of depth on how to protect the data in the application database.

At e-LM we have a multi-tiered security strategy:

1. We use a 1024 bit security certificate signed by Thawte to authenticate our site.
2. We use 256 bit SSL encryption between the client and the server for all transactions. This includes login, page views and AJAX calls.
3. We use usernames to identify users and passwords to authenticate them.
4. At the server we use Access Control Lists (ACLs) to control exactly what each individual user can see and do in the system.
5. Our database is contained behind a second firewall.
6. We have a second warm-standby server as a fail-over should the main server have an unexpected outage.
7. Our servers are located in a secure hosting facility.
8. We have backup power supplies and also a diesel generator in case our mains power supply should go down.

With all these layers of security in place it is a wonder our authenticated users can get their own data out 🙂