The Security Playbook for SaaS Startups
For most founders and CEOs of SaaS startups, security isn’t a top 3 priority. With funding, recruiting, and building a product higher on the to-do list, it’s hard to blame entrepreneurs for leaving network and data security to their technical team. While there isn’t a need for founders and CEOs to be security experts, the issue is critical enough now that they should have a decent handle on what to do and why. This article is aimed at being the security cheat sheet for busy entrepreneurs, and also a double check for the technical team to ensure that their foundation is solid.
Why Security Matters
Builds Customer Trust
Quite simply SaaS platforms store client data. So, clients are trusting that SaaS platforms have strong controls over the data, mitigating the chances of a security breach. Regardless of whether the data is considered PII (personally identifiable information) or not, every customer cares about their data and will hold your organization to a high standard.
Often, decisions for whether to purchase a SaaS platform or not can be derailed by poor security or lack of trust in a security program.
Required to Meet Compliance
If the customer’s faith in your security isn’t enough motivation to take security seriously, then governing bodies and regulatory commissions will greatly incent you to have a strong security program. New regulations such as GDPR, old standbys such as PCI and HIPAA’s Security Rule, and certifications such as ISO and SOC all require strong security controls within an organization. The truth is that as you grow and are successful, your customers will demand that you adhere to best security practices as well as compliance standards.
So, we know security is important, but as an entrepreneur, where do you start? If you aren’t on the technical side of the team, it’s often pretty difficult to figure out what the high impact items are to do and what isn’t worth it. With competing pressures of time/money versus ensuring security, how do you make the right trade-offs?
To answer those questions, we’ve developed a five layer model for SaaS security. Let’s start with the core (the identity), discuss how to protect it, and then move through the layers until we get to the outer shell (the network).
5 Layers of Security for SaaS Startups
1. Tightly Control Identities
Whether it is your customers’ passwords or your own team’s, having tight control over user accounts is job number one. As a SaaS solution, it’s likely you are storing end user accounts. The passwords for these accounts should never be stored in clear text or even encrypted. If they are encrypted that means there is a decryption key somewhere on your systems, and that’s a single point of massive failure. Instead, you should salt and one-way hash passwords. If you need help with this, there are open source algorithms (e.g. bcrypt) that can ensure you salt and one-way hash passwords.
While you are ensuring that your customers’ account are secure, you need to do the same with your internal users, especially your developers and ops folks – i.e. the people accessing your production systems. Enforce long, strong passwords, use SSH keys and multi-factor authentication (MFA) wherever possible, and tie it all together with an identity management platform like my company’s platform, Directory-as-a-Service®. There are other solutions available as well, including on-prem and open source identity providers.
- ✔ Salt and one-way hash all employees/contractor accounts.
- ✔ Use an identity provider to centralize end user accounts.
2. Encrypt All Data at Rest
All data outside of passwords should be encrypted at rest. Many database solutions already do this for you, so you’ll just need to confirm with your team that it has been enabled and that the encryption keys have been stored properly. In addition to your database, you should encrypt every laptop and desktop hard drive. With macOS® and Windows® both offering full disk encryption, you should make sure it is turned on for every machine. There are simple to use FDE management tools available to enforce this.
- ✔All storage systems you control should have data encrypted.
3. Multi-Factor Authentication Everywhere
Wherever possible, require MFA / 2FA. It should be required on everybody’s email account, especially since G Suite™ and Office 365™ both offer MFA capabilities. Don’t stop at email, though. Turn it on for your source code repository, AWS®, banking, and anywhere else you can. Ideally, you’d also have MFA for each person’s laptop or desktop. That along with FDE for your employees’ machines, is a tough combination for a hacker to beat.
- ✔ Make MFA mandatory on every system and application possible.
4. Lock Down Endpoints
Your end user’s laptop or desktop is the conduit to your more critical data and applications. Many organizations have bought into the concept that the endpoints don’t matter, so why spend time securing them? The problem is that they are the vehicle to access AWS, GitHub, Salesforce®, your internal file server, and more. A compromised endpoint can be absolutely catastrophic.
The good news is that you can quite easily lock down endpoints. Require an anti-malware solution on each system. Then, enforce some simple policies like screen saver lock, long passwords, and disable guest accounts, and you’ll be on your way. Control patching and updating of the OS and major applications centrally to ensure it is done. Ask your technical team if they can easily verify that all of that is in place. They should be able to effectively run a quick report for you to confirm that all is well there.
- ✔Find a tool or internal process to ensure every system is locked down.
5. Secure Your Networks
We’ll make the assumption that you have two networks – one at your data center or IaaS provider and one for your office network, most likely WiFi. Let’s take the example of an AWS infrastructure first. Use security groups heavily to lock down traffic coming inbound. Ideally, you’d have very little open to the outside world, and whatever is available requires strong authentication (see #1).
For the office network, similar to endpoints, some founders hold the viewpoint that there is nothing on the corporate network because everything is in the cloud. We would continue to advise you to not let your guard down. Yes, the office network might be as interesting as a Starbucks café’s. But, if somebody can get on, they can still see who else is on the network and potentially try to exploit a weakness. There really isn’t a reason not to lock down the WiFi network. It’s easy and fast to require each user to uniquely login to the WiFi network. (Note: a shared WiFi SSID and passphrase written on the conference room whiteboard does not count for a unique login.) For bonus points, you can segment the network so that the sales team isn’t on the same part of the network as the developers. Ask your technical team to consider RADIUS authentication, and they’ll run with it.
- ✔ Heavily leverage security groups/firewalls for your production network.
- ✔ For your office, require unique logins – no shared SSID and passphrase.
That’s it. Those five items will dramatically step-up your security game. In fact, we’d venture to bet that you’d be near the head of the class if all of those pieces were in place. But, don’t get us wrong. There are no doubt many other high value systems and processes that can be implemented. And, by no means was our list comprehensive. Think of it as a solid foundation to build upon.
Beyond the Buzzwords
In the world of information security, there are hundreds if not thousands of different companies and tools offering solutions that will purport to be the panacea to your problems. Many of them will be on the cutting edge, and perhaps, your technical team will be desirous of their solutions. In this article, we’ve steered away from the buzzwords and the fancy tools in favor of giving you a solid foundation without significant cost.
You may hear terms from your team such as “Defense in Depth,” “Zero Trust,” or “Perimeter-less” security. Truthfully, all of these models are useful, and if your team happens to like one, that’s probably just fine. What really matters is that the selected model does a good job of protecting the core artifacts of your infrastructure, and that your team executes on it.
This gets to an important truth: an organization’s security program can only be as good as the security hygiene of its employees.
That’s why we’re concluding with two other considerations: employee training and a security policy.
Conduct Regular Security Training
We’d suggest getting in the habit of doing a regular training with your entire team. Ask somebody on your technical team that is savvy about security and have them review good security practices and your own security policy with your entire company. We do our training every quarter, and you can see our suggestions here for what to train on.
Outline a Security Policy
You’ll also likely want to outline a clear policy around security for your team. We found that a plain spoken, direct approach worked much better than the legalese that nobody ever read. Just tell your team what you want them to do and not do, and why. You’d be surprised at how engaged your team will be.
Advice from a Fellow SaaS Startup CSO
Security for SaaS startups doesn’t have to be rocket science. But, you do need to devote real time and attention to it.
In the modern era of SaaS startups, security is an issue that you won’t be able to compromise on or ignore. Your revenue will depend on it.
Start with the basics and get those working at a high-level, and you’ll be surprised by how much you’ve reduced your risk and enabled your sales engine. For more information on what to include in your security strategy, register for our upcoming webinar where Mackey Craven and I will further discuss how you can lay a solid security foundation for your startup.