With funding, recruiting, and building a product often high up on their to-do lists, it鈥檚 hard to blame founders and CEOs of SaaS startups for leaving network and data security to their technical team. While there isn鈥檛 a need for founders and CEOs to be security experts, the issue is critical enough that they should have a decent handle on what to do and why. This article is aimed at being the security cheat sheet for busy entrepreneurs, and also a double check for the technical team to ensure that their foundation is solid.
Why Security Matters
Customer Trust & Brand Reputation
Quite simply, SaaS platforms transact and store client data. So, clients are trusting that SaaS platforms have strong controls over their data, mitigating the chances of a security breach. This includes confidentiality, integrity, availability, and close kin resiliency and privacy. Regardless of whether the data is considered PII (personally identifiable information) or not, every customer cares about their data and will hold your organization accountable for the risk, security and privacy of their data. Building trust and rapport with your chosen SaaS partners is just that 鈥 a partnership. The diligence and trust has escalated since Solar Winds, and extends beyond just your SaaS, but their partners as well.
Often, decisions for whether to purchase a SaaS platform or not can be derailed by poor security, a lack of trust, opaque controls or a failure to meet compliance needs.
Required to Meet Compliance
If the customer鈥檚 faith in your security isn鈥檛 enough motivation to take security seriously, then governing bodies and regulatory commissions will greatly incent you to build a strong security program. Newer regulations such as GDPR, old standbys such as PCI and the HIPAA HITECH Act, and controls frameworks such as ISO and SOC all require strong security controls within an organization. The truth is that as you grow and succeed in the market, your customers will demand that you adhere to best security practices as well as compliance standards. In many cases, an external validation of adherence to these best practices has become the benchmark of organizational security maturity.
So, we know security is important, but as an entrepreneur, where do you start? If you aren鈥檛 on the technical side of the team, it鈥檚 often pretty difficult to differentiate the high impact items from passing trends and heavy lifts that aren鈥檛 worth the work. With competing pressures of time and money versus ensuring security, how do you make the right trade-offs?
To answer those questions, we鈥檝e developed a five-layer model for SaaS security. Let鈥檚 start with the core (the identity), discuss how to protect it, and then move through the layers until we get to the outer shell (the network).
5 Layers of Security for SaaS Startups
1. Tightly Control Identities
Maintaining tight control over accounts 鈥 whether end user, internal team, or machine identities 鈥 is job number one. As a SaaS solution, you likely store end user accounts for your customers, and you are likely to provision the entitlements for these accounts as well. The passwords for these accounts should be complex enough to discourage brute forcing (Google Workspace relies on 12 alphanumerics), rotated at a frequency to mitigate compromise credential re-use, and never be stored in clear text. This takes away much of the largest threats today when used in conjunction with MFA, but we鈥檒l cover that in a bit.
In addition to securing customer accounts, you need to do the same with your internal users, especially your developers and ops folks 鈥 i.e. the people accessing your production systems, often at AWS, GCP, and/or Azure. Enforce long, strong passwords and follow password management best practices, use SSH keys and multi-factor authentication (MFA) wherever possible, and tie it all together with an identity management platform like my company鈥檚 cloud directory platform. There are other solutions available as well, including on-prem and open source identity providers.
Action Items:
- 鉁 Securely create, store and rotate all employee and contractor account credentials based on least privilege entitlements.
- 鉁 Use an identity provider to centralize end user accounts, internal identities, and machine identities, and offer multiple means of authentication.
2. Multi-Factor Authentication Everywhere
Wherever possible, require MFA. It should be required on everybody鈥檚 email account, especially since Google Workspace and Microsoft 365 both offer MFA capabilities. Don鈥檛 stop at email or office services, though. Turn it on for your source code repository, AWS, banking, and anywhere else you can. Ideally, you鈥檇 also have MFA for each person鈥檚 laptop or desktop. That, along with FDE for your employees鈥 machines, is a tough combination for a hacker to beat. Many MFA solutions are getting easier and easier for end users as they can now just push a button on their phone to verify their identity.
Action Items:
- 鉁 Make MFA mandatory on every system and application possible.
3. Lock Down Endpoints
Your end user鈥檚 laptop or desktop is the conduit to your more critical data and applications. Many organizations have bought into the concept that the endpoints don鈥檛 matter, so why spend time securing them? The problem is that they are the vehicle to access AWS, GitHub, Salesforce, internal file servers, production access in cloud accounts, web browsing, and more. A compromised endpoint can be absolutely catastrophic. An endpoint with a keylogger can record all of your passwords which can lead to compromises throughout your infrastructure. Using Endpoint Detection and Response software (EDR) dramatically reduces the surface area of attack for endpoints in conjunction with all the aforementioned password requirements. Couple this with some simple policies like screen saver lock, password requirements, and disabling guest accounts, and you鈥檒l be on your way. Control patching and updating of the OS and major applications centrally to prevent resources from becoming outdated. Ask your technical team if they conduct and track updates regularly and can easily verify that all resources and systems are up to date; they should be able to run a quick report for you to confirm.
Action Items:
- 鉁擣ind a tool or internal process to ensure every system is locked down.
- 鉁擴pdate your operating system and browser regularly
4. Encrypt All Data at Rest
All data outside of passwords should be encrypted at rest. Many database solutions already do this for you, so you鈥檒l just need to confirm with your team that it has been enabled and that the encryption keys have been stored properly. In addition to your database, you should encrypt every laptop and desktop hard drive. Sure, this is a compliance requirement under several frameworks, but make sure this is done. With macOSand Windows both offering full disk encryption, you should make sure it is turned on for every machine and securely store individual recovery keys. 黑料海角91入口 can enforce this; if you鈥檙e not using 黑料海角91入口, check whether your MDM tool can do so.
Action Items:
- 鉁擜ll storage systems you control should have data encrypted.
5. Create Secure Connections That Extend to Remote Work
Due to its cost savings, productivity benefits, and for many organizations, remote work is now a popular business model 鈥 especially for startups. Whether your business model is fully remote, in the office, or a mix of the two, you need to secure all network connections and activity. Let鈥檚 take the example of AWS infrastructure first. Use security groups heavily to lock down traffic coming inbound. Ideally, you鈥檇 have very little open to the outside world, and whatever is available requires strong authentication (see #1).
For the office network, similar to endpoints, some founders hold the viewpoint that there is nothing to secure on the corporate network because everything is in the cloud. We would continue to advise you to not let your guard down. Yes, the office network might be as interesting as a Starbucks caf茅鈥檚. But, if somebody can get on, they can still see who else is on the network and potentially try to exploit a weakness. There really isn鈥檛 a reason not to lock down the WiFi network. It鈥檚 easy and fast to require each user to uniquely login to the WiFi network with an authentication protocol like cloud RADIUS. (Note: a shared WiFi SSID and passphrase written on the conference room whiteboard does not count for a unique login).
Even better, you can segment the network so that the sales team isn鈥檛 on the same part of the network as the developers. IT teams can configure based on directory-defined user groups with RADIUS.
For remote networks, companies historically used to create secure connections between remote devices and the central network. While this practice is still viable, some newer, more cloud-centric options can provide tighter security and are better oriented towards the modern cloud-first business environment. For example, cloud directory platforms use Zero Trust principles and secure authentication protocols like SAML, SCIM, Oauth, WebAuthn, and LDAP to connect users to their IT resources securely. This is a great modern option, especially for startups that are partially or fully remote, or plan on going remote in the future.
Action Items:
- 鉁 Heavily leverage security groups/firewalls for your production network.
- 鉁 For your office, require unique logins 鈥 no shared SSID and passphrase.
- 鉁擡stablish secure connections between remote users and all the IT resources they need utilizing Zero Trust Security principles.
That鈥檚 it. Those five items will dramatically step-up your security game. In fact, we鈥檇 venture to bet that you鈥檇 be near the head of the class if all of those pieces were in place. But, don鈥檛 get us wrong. There are no doubt many other high value systems and processes that can be implemented. And, by no means was our list comprehensive. Think of it as a solid foundation to build upon.
Beyond the Buzzwords
In the world of information security, there are hundreds, if not thousands, of different companies and tools offering solutions that will purport to be the panacea to your problems. Many of them will be on the cutting edge, and some may be a great fit for your startup. In this article, we鈥檝e steered away from the buzzwords and the fancy tools in favor of giving you a solid foundation without significant cost.
You may hear terms from your team such as 鈥淒efense in Depth,鈥 鈥Zero Trust,鈥 or 鈥淧erimeter-less鈥 security. Truthfully, all of these concepts are useful, and if your team happens to like one, that鈥檚 probably just fine. What really matters is that the selected model does a good job of protecting the core artifacts of your infrastructure, and that your team executes on it.
This gets to an important truth: an organization鈥檚 security program can only be as good as the security hygiene of its employees.
That鈥檚 why we鈥檙e concluding with two other considerations: employee training and a security policy.
Conduct Regular Security Training
We鈥檇 suggest getting in the habit of conducting regular training with your entire team. Ask somebody on your technical team that is savvy about security to review good security practices and your own security policy with your entire company. We do our training every quarter, and you can see for what to train on.
This is especially important for organizations with remote employees. With a decentralized workforce under less supervision than they would be in office, establishing a strong security culture is critical to avoiding breaches caused by human error.
Outline a Security Policy
You鈥檒l also likely want to outline a clear policy around security for your team. We found that a plain spoken, direct approach worked much better than the legalese that nobody ever read. Just tell your team what you want them to do and not do, and why. You鈥檇 be surprised at how engaged your team will be.
Advice from a Fellow SaaS Startup CISO
CISO, 黑料海角91入口
Security for SaaS startups doesn鈥檛 have to be rocket science. But, you do need to devote real time and attention to it.
In the modern era of SaaS startups, security is an issue that you won鈥檛 be able to compromise on or ignore. Your revenue will depend on it.
Start with the basics and get those working at a high level, and you鈥檒l be surprised by how much you鈥檝e reduced your risk and enabled your sales engine. For more information on securing your startup, read our blog on securing your startup鈥檚 cloud infrastructure and applications.