{"id":26388,"date":"2021-07-01T12:45:00","date_gmt":"2021-07-01T16:45:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?page_id=26388"},"modified":"2023-06-15T13:36:49","modified_gmt":"2023-06-15T17:36:49","slug":"security-saas-startups-guide-founders-ceos","status":"publish","type":"resource","link":"https:\/\/jumpcloud.com\/resources\/security-saas-startups-guide-founders-ceos","title":{"rendered":"The Security Playbook for SaaS Startups"},"content":{"rendered":"

With funding, recruiting, and building a product often high up on their to-do lists, it\u2019s hard to blame founders and CEOs of SaaS startups for leaving network and data security to their technical team. While there isn\u2019t a need for founders and CEOs to be security experts, the issue is critical enough that they should have a decent handle on what to do and why. This article is aimed at being the security cheat sheet for busy entrepreneurs, and also a double check for the technical team to ensure that their foundation is solid.<\/span><\/p>\n\n

\n
\"Remotely<\/figure><\/div>\n\n\n

Why Security Matters<\/h2>\n\n\n\n

Customer Trust & Brand Reputation<\/h3>\n\n\n
\n
\"Why<\/figure><\/div>\n\n\n

Quite simply, SaaS platforms transact and store client data. So, clients are trusting that SaaS platforms have strong controls over their data, mitigating the chances of a security breach. This includes confidentiality, integrity, availability, and close kin resiliency and privacy.  Regardless of whether the data is considered PII (personally identifiable information) or not, every customer cares about their data and will hold your organization accountable for the risk, security and privacy of their data. Building trust and rapport with your chosen SaaS partners is just that \u2014 a partnership. The diligence and trust has escalated since Solar Winds, and extends beyond just your SaaS, but their partners as well.<\/p>\n\n\n\n

Often, decisions for whether to purchase a SaaS platform or not can be derailed by poor security, a lack of trust, opaque controls or a failure to meet compliance needs.<\/em><\/p>\n\n\n\n

Required to Meet Compliance<\/h3>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n

If the customer\u2019s faith in your security isn\u2019t enough motivation to take security seriously, then governing bodies and regulatory commissions will greatly incent you to build a strong security program. Newer regulations such as GDPR<\/a>, old standbys such as PCI<\/a> and the HIPAA HITECH Act<\/a>, and controls frameworks such as ISO<\/a> and SOC all require strong security controls within an organization. The truth is that as you grow and succeed in the market, your customers will demand that you adhere to best security practices as well as compliance standards. In many cases, an external validation of adherence to these best practices has become the benchmark of organizational security maturity.<\/p>\n\n\n\n

So, we know security is important, but as an entrepreneur, where do you start? If you aren\u2019t on the technical side of the team, it\u2019s often pretty difficult to differentiate the high impact items from passing trends and heavy lifts that aren\u2019t worth the work. With competing pressures of time and money versus ensuring security, how do you make the right trade-offs?<\/strong><\/p>\n\n\n\n

To answer those questions, we\u2019ve developed a five-layer model for SaaS security. Let\u2019s start with the core (the identity), discuss how to protect it, and then move through the layers until we get to the outer shell (the network).<\/strong><\/p>\n\n\n\n

5 Layers of Security for SaaS Startups<\/strong><\/h2>\n\n\n\n

1. Tightly Control Identities<\/strong><\/h3>\n\n\n
\n
\"Directory-as-a-Service\"<\/figure><\/div>\n\n\n

Maintaining tight control over accounts \u2014 whether end user, internal team, or machine identities \u2014 is job number one. As a SaaS solution, you likely store end user accounts for your customers, and you are likely to provision the entitlements for these accounts as well. The passwords for these accounts should be complex enough to discourage brute forcing (Google Workspace relies on 12 alphanumerics), rotated at a frequency to mitigate compromise credential re-use, and never be stored in clear text. This takes away much of the largest threats today when used in conjunction with MFA, but we\u2019ll cover that in a bit.<\/p>\n\n\n\n

In addition to securing customer accounts, you need to do the same with your internal users, especially your developers and ops folks \u2014 i.e. the people accessing your production systems, often at AWS, GCP, and\/or Azure. Enforce long, strong passwords and follow password management best practices<\/a>, use SSH keys<\/a> and multi-factor authentication (MFA)<\/a> wherever possible, and tie it all together with an identity management platform like my company\u2019s cloud directory platform<\/a>. There are other solutions available as well, including on-prem and open source identity providers.<\/p>\n\n\n\n

Action Items:<\/h4>\n\n\n\n