With funding, recruiting, and building a product often high up on their to-do lists, it’s hard to blame founders and CEOs of SaaS startups for leaving network and data security to their technical team. While there isn’t a need for founders and CEOs to be security experts, the issue is critical enough that they should have a decent handle on what to do and why. This article is aimed at being the security cheat sheet for busy entrepreneurs, and also a double check for the technical team to ensure that their foundation is solid.
Why Security Matters
Customer Trust & Brand Reputation
Quite simply, SaaS platforms transact and store client data. So, clients are trusting that SaaS platforms have strong controls over their data, mitigating the chances of a security breach. This includes confidentiality, integrity, availability, and close kin resiliency and privacy. Regardless of whether the data is considered PII (personally identifiable information) or not, every customer cares about their data and will hold your organization accountable for the risk, security and privacy of their data. Building trust and rapport with your chosen SaaS partners is just that — a partnership. The diligence and trust has escalated since Solar Winds, and extends beyond just your SaaS, but their partners as well.
Often, decisions for whether to purchase a SaaS platform or not can be derailed by poor security, a lack of trust, opaque controls or a failure to meet compliance needs.
Required to Meet Compliance
If the customer’s faith in your security isn’t enough motivation to take security seriously, then governing bodies and regulatory commissions will greatly incent you to build a strong security program. Newer regulations such as GDPR, old standbys such as PCI and the HIPAA HITECH Act, and controls frameworks such as ISO and SOC all require strong security controls within an organization. The truth is that as you grow and succeed in the market, your customers will demand that you adhere to best security practices as well as compliance standards. In many cases, an external validation of adherence to these best practices has become the benchmark of organizational security maturity.
So, we know security is important, but as an entrepreneur, where do you start? If you aren’t on the technical side of the team, it’s often pretty difficult to differentiate the high impact items from passing trends and heavy lifts that aren’t worth the work. With competing pressures of time and money versus ensuring security, how do you make the right trade-offs?
To answer those questions, we’ve developed a five-layer model for SaaS security. Let’s start with the core (the identity), discuss how to protect it, and then move through the layers until we get to the outer shell (the network).
5 Layers of Security for SaaS Startups
1. Tightly Control Identities
Maintaining tight control over accounts — whether end user, internal team, or machine identities — is job number one. As a SaaS solution, you likely store end user accounts for your customers, and you are likely to provision the entitlements for these accounts as well. The passwords for these accounts should be complex enough to discourage brute forcing (Google Workspace relies on 12 alphanumerics), rotated at a frequency to mitigate compromise credential re-use, and never be stored in clear text. This takes away much of the largest threats today when used in conjunction with MFA, but we’ll cover that in a bit.
In addition to securing customer accounts, you need to do the same with your internal users, especially your developers and ops folks — i.e. the people accessing your production systems, often at AWS, GCP, and/or Azure. Enforce long, strong passwords, use SSH keys and multi-factor authentication (MFA) wherever possible, and tie it all together with an identity management platform like my company’s cloud directory platform. There are other solutions available as well, including on-prem and open source identity providers.
- ✔ Securely create, store and rotate all employee and contractor account credentials based on least privilege entitlements.
- ✔ Use an identity provider to centralize end user accounts, internal identities, and machine identities, and offer multiple means of authentication.
2. Multi-Factor Authentication Everywhere
Wherever possible, require MFA. It should be required on everybody’s email account, especially since Google Workspace and Microsoft 365 both offer MFA capabilities. Don’t stop at email or office services, though. Turn it on for your source code repository, AWS, banking, and anywhere else you can. Ideally, you’d also have MFA for each person’s laptop or desktop. That, along with FDE for your employees’ machines, is a tough combination for a hacker to beat. Many MFA solutions are getting easier and easier for end users as they can now just push a button on their phone to verify their identity.
- ✔ Make MFA mandatory on every system and application possible.
3. Lock Down Endpoints
Your end user’s laptop or desktop is the conduit to your more critical data and applications. Many organizations have bought into the concept that the endpoints don’t matter, so why spend time securing them? The problem is that they are the vehicle to access AWS, GitHub, Salesforce, internal file servers, production access in cloud accounts, web browsing, and more. A compromised endpoint can be absolutely catastrophic. An endpoint with a keylogger can record all of your passwords which can lead to compromises throughout your infrastructure. Using Endpoint Detection and Response software (EDR) dramatically reduces the surface area of attack for endpoints in conjunction with all the aforementioned password requirements. Couple this with some simple policies like screen saver lock, password requirements, and disabling guest accounts, and you’ll be on your way. Control patching and updating of the OS and major applications centrally to prevent resources from becoming outdated. Ask your technical team if they conduct and track updates regularly and can easily verify that all resources and systems are up to date; they should be able to run a quick report for you to confirm.
- ✔Find a tool or internal process to ensure every system is locked down.
- ✔Update your operating system and browser regularly
4. Encrypt All Data at Rest
All data outside of passwords should be encrypted at rest. Many database solutions already do this for you, so you’ll just need to confirm with your team that it has been enabled and that the encryption keys have been stored properly. In addition to your database, you should encrypt every laptop and desktop hard drive. Sure, this is a compliance requirement under several frameworks, but make sure this is done. With macOSand Windows both offering full disk encryption, you should make sure it is turned on for every machine and securely store individual recovery keys. JumpCloud can enforce this; if you’re not using JumpCloud, check whether your MDM tool can do so.
- ✔All storage systems you control should have data encrypted.
5. Create Secure Connections That Extend to Remote Work
Due to its cost savings, productivity benefits, and proven success for many organizations, remote work is now a popular business model — especially for startups. Whether your business model is fully remote, in the office, or a mix of the two, you need to secure all network connections and activity. Let’s take the example of AWS infrastructure first. Use security groups heavily to lock down traffic coming inbound. Ideally, you’d have very little open to the outside world, and whatever is available requires strong authentication (see #1).
For the office network, similar to endpoints, some founders hold the viewpoint that there is nothing to secure on the corporate network because everything is in the cloud. We would continue to advise you to not let your guard down. Yes, the office network might be as interesting as a Starbucks café’s. But, if somebody can get on, they can still see who else is on the network and potentially try to exploit a weakness. There really isn’t a reason not to lock down the WiFi network. It’s easy and fast to require each user to uniquely login to the WiFi network with an authentication protocol like RADIUS. (Note: a shared WiFi SSID and passphrase written on the conference room whiteboard does not count for a unique login).
Even better, you can segment the network so that the sales team isn’t on the same part of the network as the developers. IT teams can configure VLANs based on directory-defined user groups with RADIUS.
For remote networks, companies historically used VPNs to create secure connections between remote devices and the central network. While this practice is still viable, some newer, more cloud-centric options can provide tighter security and are better oriented towards the modern cloud-first business environment. For example, cloud directory platforms use Zero Trust principles and secure authentication protocols like SAML, SCIM, Oauth, WebAuthn, and LDAP to connect users to their IT resources securely. This is a great modern option, especially for startups that are partially or fully remote, or plan on going remote in the future.
- ✔ Heavily leverage security groups/firewalls for your production network.
- ✔ For your office, require unique logins – no shared SSID and passphrase.
- ✔Establish secure connections between remote users and all the IT resources they need utilizing Zero Trust Security principles.
That’s it. Those five items will dramatically step-up your security game. In fact, we’d venture to bet that you’d be near the head of the class if all of those pieces were in place. But, don’t get us wrong. There are no doubt many other high value systems and processes that can be implemented. And, by no means was our list comprehensive. Think of it as a solid foundation to build upon.
Beyond the Buzzwords
In the world of information security, there are hundreds, if not thousands, of different companies and tools offering solutions that will purport to be the panacea to your problems. Many of them will be on the cutting edge, and some may be a great fit for your startup. In this article, we’ve steered away from the buzzwords and the fancy tools in favor of giving you a solid foundation without significant cost.
You may hear terms from your team such as “Defense in Depth,” “Zero Trust,” or “Perimeter-less” security. Truthfully, all of these concepts are useful, and if your team happens to like one, that’s probably just fine. What really matters is that the selected model does a good job of protecting the core artifacts of your infrastructure, and that your team executes on it.
This gets to an important truth: an organization’s security program can only be as good as the security hygiene of its employees.
That’s why we’re concluding with two other considerations: employee training and a security policy.
Conduct Regular Security Training
We’d suggest getting in the habit of conducting regular training with your entire team. Ask somebody on your technical team that is savvy about security to review good security practices and your own security policy with your entire company. We do our training every quarter, and you can see our suggestions here for what to train on.
This is especially important for organizations with remote employees. With a decentralized workforce under less supervision than they would be in office, establishing a strong security culture is critical to avoiding breaches caused by human error.
Outline a Security Policy
You’ll also likely want to outline a clear policy around security for your team. We found that a plain spoken, direct approach worked much better than the legalese that nobody ever read. Just tell your team what you want them to do and not do, and why. You’d be surprised at how engaged your team will be.
Advice from a Fellow SaaS Startup CISO
Security for SaaS startups doesn’t have to be rocket science. But, you do need to devote real time and attention to it.
In the modern era of SaaS startups, security is an issue that you won’t be able to compromise on or ignore. Your revenue will depend on it.
Start with the basics and get those working at a high level, and you’ll be surprised by how much you’ve reduced your risk and enabled your sales engine. For more information on securing your startup, read our blog on securing your startup’s cloud infrastructure and applications.