To make sure your software is 100% secure, install it on a machine in a locked room that cannot be physically accessed by anyone or anything and has no connection to a network. Your software will be of no use to anyone, but it will be 100% secure. Software design is all about trade-offs, designing for security is no different. You will need to trade money and/or usability for every addition you make to support security in your system.
Here are seven SaaS security best practices that won’t drive your users crazy and at the same time won’t break the bank while curbing SaaS security risks:
The large Cloud providers have spent countless millions of dollars on security research and development and made it available to the world. Leverage the infrastructure and the best SaaS cyber security practices that they have made available and focus your energy on the core problem(s) your software solves.
a. API Gateway Services
b. Security Monitoring Services
c. Encryption Services
a. Software/Hardware – For example, do not define endpoints in your public API for admin related tasks. If the endpoint doesn’t exist there is nothing to secure (that’s as simple as it gets when it comes to SaaS endpoint protection)!
b. People – Limit the access people have to sensitive data. If necessary, for a person to access sensitive data, log all actions taken and if possible, make it necessary to have more than one person involved in accessing the data.
a. Only capture data you absolutely need. For example, if you never use a person’s national ID number (e.g. SSN) don’t ask for it)
b. Offload the sensitive data storing to a 3rd party. Square is a perfect example of this. Square will store all the credit card billing information for you. Your system is never in possession of the credit card number so you don’t have to worry about protecting it.
a. Data at Rest: When data is stored either as a file or data in a database it is considered “at rest”. Almost every data storage service can store the data you give it encrypted and then decrypt it when you ask for it. SQL Server, as an example, allows you to turn on a setting to encrypt the data it stores with their Transparent Data Encryption (TDE) feature.
b. Data in Flight: When data is read from storage and sent outside of the currently running process it is referred to as “in-flight”. Sending data over any networking protocol be it FTP, TCP, HTTP is data that is “in-flight”. Network sniffers (if attached to your network) can read this data and if it is not encrypted can be stolen. Employing SSL/TLS for HTTP is a common example.
There’s no guarantee that your system’s security won’t be breached. It is more of a question of “when” than “if”. For this reason, it is important to log all changes and access to sensitive data and changes to user permissions and login attempts. When something does go wrong you have an audit log that can be used to solve how the breach occurred and know what needs to change to stop any further similar security breaches.
Social engineering is by far the most successful way to breach any system. Make social engineering hacks more difficult by requiring users to have a second way to authenticate with your system. Implement a system that requires two of the following three types of information:
Sending a code to a user’s phone or email is a very easy way to implement two-factor authentication. To balance the added security with the need for usability, give your customers the option of choosing if they would like to use the phone or email and an option for how long the code is valid for the device being used.
Key Vaults allow secrets to be accessed only by applications that have been given access to the Key Vault, removing the need for a person to handle the secrets. Store all secrets to access databases/datastores, encrypt data, electronically sign files, etc. in a Key Vault. Cloud platforms such as AWS and Azure offer highly effective and configurable Key Vault services.
For added security use a separate key vault for every Customer. For advanced security allow your customers to bring their key.
Here at Windward, we give the highest importance to security right from the inception stage of our products to its usage and integration in multiple environments by our customers. Read more about data security when using Windward Solutions.