The more data you store, the more attractive you become to cybercriminals, so SaaS companies need to recognize the importance of following security best practices. However, even those who understand this imperative can find it difficult to know where to start.
With that in mind, this post discusses three of the most common security mistakes that SaaS organizations make and tips on how your organization can address them.
1. Weak Security Groups and Policies
It seems that many SaaS organizations aren’t adhering to the principle of least privilege access, where users are given the minimum amount of access they require in order to do their jobs. Fred in accounting has no business modifying software configurations, after all, so why give him the access that would enable him to do so? Often too much access isn’t the result of a conscious decision, but rather the result of not having a well-thought-out strategy or policy around access controls for both the end users and the machines they use.
To combat this problem, it’s important to configure your security groups to restrict ingress and egress, making sure that only those with a true need are able to log in.
As another best practice, SaaS companies should be locking down servers and services so that only connections from IPs associated with your organization are accepted and only specific ports necessary for your business apps are open. All others should be blocked to reduce the surface area of a potential attack.
To help address this issue, Threat Stack’s CloudTrail integration enables automated alerts to let you know when changes have been made to your cloud infrastructure, including changes to your instances, security groups, S3 buckets, access keys, IAM policies, and other changes to your AWS infrastructure, that could represent a threat.
2. Authentication Missteps
Weak Passwords: The use of authentication technologies such as client certificates, tokens, and biometrics can seriously strengthen security for your SaaS company, but a strong password policy is still a good first line of defense against attacks. Many people use simple passwords and repeat them across services to decrease the number of passwords they need to remember. According to a Pew Research survey, in fact, 39 percent of Americans report using the same (or very similar) passwords for multiple accounts, and 25 percent admit to using passwords that are simpler than they’d like. Establishing a strong password policy can go a long way toward preventing breaches and protecting your customer data.
So what is a strong password policy? As a bare minimum, administrators should require passwords that follow the “8–4 rule,” meaning that passwords must contain at least eight characters of four types (lowercase letters, uppercase letters, numbers, and symbols). Employees must also be encouraged to create unique passwords for each account, avoid the inclusion of personal information in passwords, and rotate access keys on a regular basis (say every 90 days).
Of course, if passwords are so complex that users end up writing them down on a sticky note, you’re defeating your own security measures. Browser-based password managers are unreliable and should be avoided, but safe external password management software (like 1Password or LastPass) can make is easy for users to create long, complex, and unique passwords that they don’t need to memorize. These services can also be used to auto-generate more secure passwords.
Exposed Secrets: Perhaps a less obvious no-no than using your dog’s name as your password is storing secrets in unencrypted application code, and more SaaS companies are making this mistake than you might think. Protected information needs to be easy to find but not easy to access. This prevents it from falling into the wrong hands. Make sure your organization follows strict best practices when it comes to the sharing of passwords, API keys, secure tokens, and private keys. And, to make sure you’re not hiding any sensitive data in plain sight, we recommend using truffleHog or git-secrets to identify whether secrets are currently stored in your code.
Failure to Use Multi-Factor (2FA) Authentication: Failing to use multi-factor authentication (MFA) is another common mistake. According to the 2019 Verizon DIBR, 81 percent of attacks involved weak or unused passwords. Implementing multi-factor authentication is a strong way to make sure that passwords are not your only line of defense, allowing you to more easily establish trust in your organization, and making it more difficult for attackers to fake it.
A tool like the Threat Stack Cloud Security Platform® can help you avoid these authentication mistakes by alerting you in real time when they are performed to allow you to react accordingly. By providing visibility into these actions on a continuous basis, you can then evaluate the effectiveness of your internal policies and make sure that you’re always using multi-factor authentication.
3. Failure to Patch Systems
Patching vulnerabilities seems like an easy enough task, but the truth is that many SaaS organizations are not doing it with enough regularity. The Verizon DIBR has shown that the most frequently exploited vulnerabilities are often months or even years old. They’re easily exploited because people fail to patch their systems.
This problem often arises within an organization when patching is left up to individual employees. Rather than leaving this important security protocol open human error, take a systematic approach to ensure that vulnerabilities are patched quickly and comprehensively. This can be done by enforcing company-wide updates immediately as patches are released or by updating systems on a regular basis with any recent patches. The path you take will be determined by your organization’s specific risk tolerance, values, and resources. But, regardless of what you choose, the point here is that patching must be done routinely and systematically, rather than haphazardly.
Defining An Individualized Approach For Your Organization
While the mistakes we’ve discussed above are fairly common at SaaS organizations, they aren’t the whole picture. Remember that threats vary from company to company, and it’s up to each SaaS organization to establish an individualized plan for continually improving its security posture over time. Getting started by addressing the three mistakes outlined in this post is a good first move. From there, you can assess your unique risk profile and start taking steps to make sure that you are not an easy target for cybercriminals.
If you’d like to learn how Threat Stack can help you identify security missteps and catch threats in real time, sign up for a demo today. Our security and compliance experts will be happy to discuss your specific requirements and use cases.