A small clinic is moving its health and accounting systems to a SaaS solution. The clinic holds patient-specific information. Which action is MOST appropriate to protect its data?

• A. Document, configure, and enforce strong account management policies.
• B. Disable and document unneeded ports and protocols on the SaaS servers.
• C. Install antivirus and disable unneeded services on all SaaS servers.
• D. Harden the underlying infrastructure: servers, firewalls, and load balancers.

Answer: (B)

In SaaS arrangements, reducing the attack surface at the service boundary is a primary way to protect sensitive data. Disabling unneeded ports and protocols on the SaaS servers directly limits how data can be accessed or exploited from the network, making it harder for an attacker to reach the application or move laterally. Documenting these decisions also supports compliance and audits, showing which endpoints are exposed and why, and provides a basis for ongoing monitoring and verification.

While strong account management and governance are important for safeguarding patient information, the most immediate and impactful protection in a SaaS context is to minimize the network exposure of the service itself. Hardened infrastructure and antivirus protections are typically managed by the provider, and while important, do not give you as much direct control over the data’s attack surface as restricting the active ports and protocols does.