{"id":26388,"date":"2021-07-01T12:45:00","date_gmt":"2021-07-01T16:45:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?page_id=26388"},"modified":"2023-06-15T13:36:49","modified_gmt":"2023-06-15T17:36:49","slug":"security-saas-startups-guide-founders-ceos","status":"publish","type":"resource","link":"https:\/\/jumpcloud.com\/resources\/security-saas-startups-guide-founders-ceos","title":{"rendered":"The Security Playbook for SaaS Startups"},"content":{"rendered":"
With funding, recruiting, and building a product often high up on their to-do lists, it\u2019s hard to blame founders and CEOs of SaaS startups for leaving network and data security to their technical team. While there isn\u2019t a need for founders and CEOs to be security experts, the issue is critical enough that they should have a decent handle on what to do and why. This article is aimed at being the security cheat sheet for busy entrepreneurs, and also a double check for the technical team to ensure that their foundation is solid.<\/span><\/p>\n\n Quite simply, SaaS platforms transact and store client data. So, clients are trusting that SaaS platforms have strong controls over their data, mitigating the chances of a security breach. This includes confidentiality, integrity, availability, and close kin resiliency and privacy. Regardless of whether the data is considered PII (personally identifiable information) or not, every customer cares about their data and will hold your organization accountable for the risk, security and privacy of their data. Building trust and rapport with your chosen SaaS partners is just that \u2014 a partnership. The diligence and trust has escalated since Solar Winds, and extends beyond just your SaaS, but their partners as well.<\/p>\n\n\n\n Often, decisions for whether to purchase a SaaS platform or not can be derailed by poor security, a lack of trust, opaque controls or a failure to meet compliance needs.<\/em><\/p>\n\n\n\n If the customer\u2019s faith in your security isn\u2019t enough motivation to take security seriously, then governing bodies and regulatory commissions will greatly incent you to build a strong security program. Newer regulations such as GDPR<\/a>, old standbys such as PCI<\/a> and the HIPAA HITECH Act<\/a>, and controls frameworks such as ISO<\/a> and SOC all require strong security controls within an organization. The truth is that as you grow and succeed in the market, your customers will demand that you adhere to best security practices as well as compliance standards. In many cases, an external validation of adherence to these best practices has become the benchmark of organizational security maturity.<\/p>\n\n\n\n So, we know security is important, but as an entrepreneur, where do you start? If you aren\u2019t on the technical side of the team, it\u2019s often pretty difficult to differentiate the high impact items from passing trends and heavy lifts that aren\u2019t worth the work. With competing pressures of time and money versus ensuring security, how do you make the right trade-offs?<\/strong><\/p>\n\n\n\n To answer those questions, we\u2019ve developed a five-layer model for SaaS security. Let\u2019s start with the core (the identity), discuss how to protect it, and then move through the layers until we get to the outer shell (the network).<\/strong><\/p>\n\n\n\n Maintaining tight control over accounts \u2014 whether end user, internal team, or machine identities \u2014 is job number one. As a SaaS solution, you likely store end user accounts for your customers, and you are likely to provision the entitlements for these accounts as well. The passwords for these accounts should be complex enough to discourage brute forcing (Google Workspace relies on 12 alphanumerics), rotated at a frequency to mitigate compromise credential re-use, and never be stored in clear text. This takes away much of the largest threats today when used in conjunction with MFA, but we\u2019ll cover that in a bit.<\/p>\n\n\n\n In addition to securing customer accounts, you need to do the same with your internal users, especially your developers and ops folks \u2014 i.e. the people accessing your production systems, often at AWS, GCP, and\/or Azure. Enforce long, strong passwords and follow password management best practices<\/a>, use SSH keys<\/a> and multi-factor authentication (MFA)<\/a> wherever possible, and tie it all together with an identity management platform like my company\u2019s cloud directory platform<\/a>. There are other solutions available as well, including on-prem and open source identity providers.<\/p>\n\n\n\n Wherever possible, require MFA<\/strong>. It should be required on everybody\u2019s email account, especially since Google Workspace and Microsoft 365 both offer MFA capabilities. Don\u2019t stop at email or office services, though. Turn it on for your source code repository, AWS, banking, and anywhere else you can. Ideally, you\u2019d also have MFA for each person\u2019s laptop or desktop. That, along with FDE for your employees\u2019 machines, is a tough combination for a hacker to beat. Many MFA solutions are getting easier and easier for end users as they can now just push a button on their phone to verify their identity.<\/p>\n\n\n\n Your end user\u2019s laptop or desktop is the conduit to your more critical data and applications. Many organizations have bought into the concept that the endpoints don\u2019t matter, so why spend time securing them? The problem is that they are the vehicle to access AWS, GitHub, Salesforce, internal file servers, production access in cloud accounts, web browsing, and more. A compromised endpoint can be absolutely catastrophic. An endpoint with a keylogger can record all of your passwords which can lead to compromises throughout your infrastructure. Using Endpoint Detection and Response software (EDR) dramatically reduces the surface area of attack for endpoints in conjunction with all the aforementioned password requirements. Couple this with some simple policies like screen saver lock<\/a>, password requirements<\/a>, and disabling guest accounts<\/a>, and you\u2019ll be on your way. Control patching and updating of the OS and major applications centrally to prevent resources from becoming outdated. Ask your technical team if they conduct and track updates regularly and can easily verify that all resources and systems are up to date; they should be able to run a quick report for you to confirm.<\/p>\n\n\n\n All data outside of passwords should be encrypted at rest. Many database solutions already do this for you, so you\u2019ll just need to confirm with your team that it has been enabled and that the encryption keys have been stored properly. In addition to your database, you should encrypt every laptop and desktop hard drive. Sure, this is a compliance requirement under several frameworks, but make sure this is done. With macOSand Windows both offering full disk encryption<\/a>, you should make sure it is turned on for every machine and securely store individual recovery keys. JumpCloud can enforce this; if you\u2019re not using JumpCloud, check whether your MDM tool can do so.<\/p>\n\n\n\n Due to its cost savings, productivity benefits, and proven success<\/a> for many organizations, remote work is now a popular business model \u2014 especially for startups. Whether your business model is fully remote, in the office, or a mix of the two, you need to secure all network connections and activity. Let\u2019s take the example of AWS infrastructure<\/a> first. Use security groups heavily to lock down traffic coming inbound. Ideally, you\u2019d have very little open to the outside world, and whatever is available requires strong authentication (see #1).<\/p>\n\n\n\n For the office network, similar to endpoints, some founders hold the viewpoint that there is nothing to secure on the corporate network because everything is in the cloud. We would continue to advise you to not let your guard down. Yes, the office network might be as interesting as a Starbucks caf\u00e9\u2019s. But, if somebody can get on, they can still see who else is on the network and potentially try to exploit a weakness. There really isn\u2019t a reason not to lock down the WiFi network<\/a>. It\u2019s easy and fast to require each user to uniquely login to the WiFi network with an authentication protocol like cloud RADIUS<\/a>. (Note:<\/strong> a shared WiFi SSID and passphrase written on the conference room whiteboard does not count for a unique login). <\/p>\n\n\n\n Even better, you can segment the network so that the sales team isn\u2019t on the same part of the network as the developers. IT teams can configure VLANs<\/a> based on directory-defined user groups with RADIUS.<\/p>\n\n\n\n For remote networks, companies historically used VPNs<\/a> to create secure connections between remote devices and the central network. While this practice is still viable, some newer, more cloud-centric options can provide tighter security and are better oriented towards the modern cloud-first business environment. For example, cloud directory platforms<\/a> use Zero Trust principles and secure authentication protocols like SAML, SCIM, Oauth, WebAuthn, and LDAP to connect users to their IT resources securely. This is a great modern option, especially for startups that are partially or fully remote, or plan on going remote in the future. <\/p>\n\n\n\n That\u2019s it. Those five items will dramatically step-up your security game. In fact, we\u2019d venture to bet that you\u2019d be near the head of the class if all of those pieces were in place. But, don\u2019t get us wrong. There are no doubt many other high value systems and processes that can be implemented. And, by no means was our list comprehensive. Think of it as a solid foundation to build upon.<\/strong><\/strong><\/p>\n\n\n\n In the world of information security, there are hundreds, if not thousands, of different companies and tools offering solutions that will purport to be the panacea to your problems. Many of them will be on the cutting edge, and some may be a great fit for your startup. In this article, we\u2019ve steered away from the buzzwords and the fancy tools in favor of giving you a solid foundation without significant cost.<\/p>\n\n\n\n You may hear terms from your team such as \u201cDefense in Depth,\u201d \u201cZero Trust<\/a>,\u201d or \u201cPerimeter-less\u201d security. Truthfully, all of these concepts are useful, and if your team happens to like one, that\u2019s probably just fine. What really matters is that the selected model does a good job of protecting the core artifacts of your infrastructure, and that your team executes on it.<\/p>\n\n\n\n This gets to an important truth: an organization\u2019s security program can only be as good as the security hygiene of its employees.<\/em><\/p>\n\n\n\n That\u2019s why we\u2019re concluding with two other considerations: employee training and a security policy.<\/p>\n\n\n\n We\u2019d suggest getting in the habit of conducting regular training with your entire team. Ask somebody on your technical team that is savvy about security to review good security practices and your own security policy with your entire company. We do our training every quarter, and you can see our suggestions here<\/a> for what to train on.<\/p>\n\n\n\n This is especially important for organizations with remote employees. With a decentralized workforce under less supervision than they would be in office, establishing a strong security culture is critical to avoiding breaches caused by human error. <\/p>\n\n\n\n You\u2019ll also likely want to outline a clear policy around security for your team. We found that a plain spoken, direct approach worked much better than the legalese that nobody ever read. Just tell your team what you want them to do and not do, and why. You\u2019d be surprised at how engaged your team will be.<\/p>\n\n\n\n Security for SaaS startups<\/a> doesn\u2019t have to be rocket science. But, you do need to devote real time and attention to it.<\/p>\n\n\n\n In the modern era of SaaS startups, security is an issue that you won\u2019t be able to compromise on or ignore. Your revenue will depend on it.<\/em><\/p>\n\n\n\n Start with the basics and get those working at a high level, and you\u2019ll be surprised by how much you\u2019ve reduced your risk and enabled your sales engine. For more information on securing your startup, read our blog on securing your startup\u2019s cloud infrastructure and applications.<\/a> <\/p>\n","protected":false},"excerpt":{"rendered":" Has security for your SaaS startup been on your mind? Read this playbook for founders and CEOs to learn how to implement a strong security foundation.<\/p>\n","protected":false},"author":146,"featured_media":51251,"template":"","categories":[2337],"collection":[2775],"wheel_hubs":[],"platform":[],"resource_type":[2311],"funnel_stage":[],"coauthors":[2556],"acf":[],"yoast_head":"\n<\/figure><\/div>\n\n\n
Why Security Matters<\/h2>\n\n\n\n
Customer Trust & Brand Reputation<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Required to Meet Compliance<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
5 Layers of Security for SaaS Startups<\/strong><\/h2>\n\n\n\n
1. Tightly Control Identities<\/strong><\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Action Items:<\/h4>\n\n\n\n
\n
2. Multi-Factor Authentication Everywhere<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Action Items:<\/h4>\n\n\n\n
\n
3. Lock Down Endpoints<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Action Items:<\/h4>\n\n\n\n
\n
4. Encrypt All Data at Rest<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Action Items:<\/h4>\n\n\n\n
\n
5. Create Secure Connections That Extend to Remote Work<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Action Items:<\/h4>\n\n\n\n
\n
Beyond the Buzzwords<\/h2>\n\n\n\n
Conduct Regular Security Training<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Outline a Security Policy<\/h3>\n\n\n
<\/figure><\/div>\n\n\n
Advice from a Fellow SaaS Startup CISO<\/strong><\/strong><\/h2>\n\n\n
CISO, JumpCloud<\/em><\/figcaption><\/figure><\/div>\n\n\n