Here is an in-depth blog on data protection in SaaS applications: http://www.son.web.id/2007/08/16/securing-data-in-hosted-applications/
Although this article does not discuss securing the data transfer from the client to the server, it does go into quite a bit of depth on how to protect the data in the application database.
At e-LM we have a multi-tiered security strategy:
- We use a 1024 bit security certificate signed by Thawte to authenticate our site.
- We use 256 bit SSL encryption between the client and the server for all transactions. This includes login, page views and AJAX calls.
- We use usernames to identify users and passwords to authenticate them.
- At the server we use Access Control Lists (ACLs) to control exactly what each individual user can see and do in the system.
- Our database is contained behind a second firewall.
- We have a second warm-standby server as a fail-over should the main server have an unexpected outage.
- Our servers are located in a secure hosting facility.
- We have backup power supplies and also a diesel generator in case our mains power supply should go down.
With all these layers of security in place it is a wonder our authenticated users can get their own data out 🙂