A Practical Guide to People-First SaaS Security
The average SMB uses more than 54 SaaS products, often leading to SaaS chaos and security exposure. While SaaS can help you get your job done more efficiently, it can also introduce security concerns if not properly locked down. At Blissfully we help hundreds of companies manage this SaaS chaos, and we’ve prepared a simple, practical, and effective guide to improve your organization’s SaaS security.
Security Starts with People
When it comes to security, your people can be either your best line of defense or your weakest link. It’s key to build your security policies and procedures around people, including taking the time to understand what is intuitive and user-friendly and thus most likely to be adhered to.
Generally speaking, we believe that you should rely more on systems and guardrails than on user actions and training. In other words, take human error out of the equation whenever possible. We also believe it’s best to have fewer vectors, rather than more, and to harden these as much as possible (we’ll explain what this means in more detail below).
Many organizations tackle security on an as-it-comes basis. This can be dangerous, since it often means you aren’t thinking about security until after something bad has happened. Both ad hoc or absent security policies can open you up to a whole world of vulnerabilities. On the other side of the spectrum, some organizations employ arcane security practices (like forcing users to change their passwords at regular intervals for no real reason) that are not user-friendly and are thus often skirted by employees.
The SaaS Security Spectrum
Above is an illustration shows a spectrum of SaaS security and access, to help you understand where your organization falls today. Most organizations start off with no policies or systems. In this situation, the onus is on each employee to manage their own security, which means they will typically re-use passwords, share them via insecure spreadsheets, or create other systems that work for them but not for the company.
The best case is to use a single access point to unlock access to company applications, and to create an easy centralized point to enforce human friendly security policies.
The rest of this guide helps get your from wherever you may be on the spectrum, to a blissful state of secure SaaS usage.
Who This Guide is For
In this guide, we’ll share best practices for building a SaaS security stack that is realistic, usable, and focused on the way modern organizations conduct business. In particular, we have focused on the broad range of small to mid-sized businesses, or SMBs. Very small businesses may not be ready to implement some of these controls — and there may not be a need. On the other end of the spectrum, enterprises will find many of these recommendations appropriate, but may need to take things a few steps further to fully mitigate risk. However, on the whole, we think these recommendations will apply to a broad range of business sizes and types and are a great place to start.
Additionally, it’s worth noting that this eBook is focused on organizations who use G Suite. It won’t be as relevant if you operate in Office365, for example. It is also focused more on the security of SaaS operations (vs. securing your core network or production servers.)
The Foundation: Configuring G Suite for Security
If you are using G Suite for your business, the good news is that you already have quite a few security tools and configuration options at your disposal. However, these are no good to you unless they are thoughtfully implemented and automatically enforced. This harkens back to the concept of people-first security.
Here are the areas you should be looking at securing when it comes to your G Suite applications.
The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication on all products that support it, especially your primary email and collaboration platform (as stated earlier, we recommend G Suite). This greatly reduces the harm that an attacker can do with stolen credentials.
While this may seems like a requirement in today’s age, our data shows that the average company only has 37% of their employees using multi-factor authentication on their main G Suite account. And this number gets even worse for smaller and early-stage companies, where just 22% of employees at companies with less than 50 people have multi-factor authentication enabled.
Another benefit of implementing strong Google-based authentication is that many SaaS products are increasingly supporting Google Single Sign-on, which means that if you enforce MFA for Google, you’ll automatically get those benefits for all apps that use Google SSO.
The Chrome administrator for your organization can set up policies that dictate how employees use their Google accounts on Chrome devices, Android devices, and the Chrome browser. Since these policies are implemented at the account level, they will apply no matter what device the user signs in from. (However, do note that the policies won’t apply to users who are signed in as guests or who use a Google account from outside the organization.) Because these settings can be applied across several devices and the Chrome browser, they are a good way to enforce security without a ton of extra effort from your users or your IT team.
To implement these settings, you’ll first need to turn on Chrome management. Then you can set up user policies, which can be divided up by team to help you apply certain policies to specific groups of users. Policies can include enrollment controls, apps and extensions allowed or required, Chrome web store permissions, Android applications, and a wide range of other security controls. You can view the full list here.
G Suite Team Drives are shared spaces for teams to store and access their files. This feature is included in the Business and Enterprise versions of G Suite. Files in Team Drives belong to the entire team rather than to individuals. This makes life easier if someone leaves your team, because there is no need to transfer document ownership or reset permissions. The files stay put regardless of any individual’s status, so employees can get work done without interruption. Team Drives is available on several tiers of G Suite, and you can learn more about it here.
There is also a security benefit to using Team Drives. When you add new members, you can decide whether you want to give them full access to upload, edit, and delete files, or whether you want to restrict them to certain activities at the user level. It is easy to add members, set and change member permissions, and remove members as needed.
At Blissfully, we have established a special partnership with G Suite and can offer Team Drives to you on a discounted basis. Contact us at firstname.lastname@example.org for more information and to get set up.
SaaS Security Monitoring
You can’t say your organization is secure unless you know what SaaS products everyone in the organization is using at any given time and can say definitively that they are employing security best practices.
With Blissfully’s SaaS security monitoring, you can access an always up-to-date list of the SaaS in use subscriptions across your company—including “shadow” and unsanctioned applications. You can view full adoption trends for your whole organization, including details by department and products. Plus Blissfully allows you to easily audit what permissions users in your organization are giving to which applications, and get updates on all new additions. This is a crucial layer of security for your SaaS stack. Finally, the ability to manage employee access to your required SaaS products by department, and to consolidate licenses, will give you unprecedented visibility into your SaaS stack.
SaaS Access Management
Today’s IT world is increasingly centered on SaaS. This means it’s critical to enforce secure access to all of your SaaS applications. You can’t risk having ad hoc policies around how employees access SaaS applications, which unfortunately tends to be the status quo.
When companies don’t have policies (or have policies that are hard to comply with), employees tend to either store passwords in an unsecure file or reuse the same password across multiple applications.
The 2016 Verizon DBIR found that 63% of confirmed data breaches leveraged weak, default, or stolen passwords. If you don’t want your organization to be the next victim, it’s time to tighten up your controls. Below are our recommendations for passwords and identity and access management.
Team Password Management
Unfortunately, your browser’s built-in password management feature isn’t secure enough to rely on. There have been a number of successful attacks against browser-based password storage, so we don’t recommend that you or your employees use these features. You can and probably should turn off the ability for people in your organization to use Chrome’s password manager, which you can do in the Chrome settings we talked about earlier.
Our recommendation is to use TeamsID, which offers a variety of password management solutions for organizations large and small. In our view, the killer feature of TeamsID is the ability to link it to Google’s SSO. This means that employees don’t have to remember yet another password, and instead you can enforce strong passwords and multi-factor authentication on G Suite, which in turn will unlock your shared passwords in TeamsID.
Beyond that, TeamsID has all the key features you’ll need in a team password platform, including the ability to have “secret” passwords that can be filled in but not seen, browser extensions, native applications for many platforms, easy team management and sharing, and more. We use TeamsID internally and have been very happy with it. *Bonus: You can use the code “blissfully” to get 10% off when you sign up for TeamsID. *
A very solid alternative is LastPass, which has many of the same features. However, it doesn’t have the Google SSO option. It also has some additional configuration challenges, and is not quite as easy to use for team sharing. For example, the onboarding process requires you to set up a temporary password via email, which is not ideal. LastPass does, however, have a few additional workflow and security features (e.g. robust API access and SAML configuration) available to some of the enterprise tiers, which might be valuable depending on your business’s needs.
Either of these options is far better than simply letting your users reuse their passwords across several services, opening you up to credential attacks on a large scale.
Identity and Access Management
As you build out your IT team, and grow past more than 100-200 employees, it’s a good idea to start thinking about deploying a unified IAM solution. This can both streamline the end user’s experience and protect the entire organization from security threats. IAM solutions work by authenticating a user once and then unlocking all apps for them (rather than users having to individually sign into each app).
IAM offerings are a bit like Google Single-Sign On on steroids, offering many more configuration options and deeper integrations. For smaller organizations, this might be overkill, especially if you won’t be able to or need to leverage their killer features like Active Directory sync (smaller, newer companies might not even have this) and SAML integration (typically only available on more expensive, enterprise-level SaaS pricing tiers). But if you are a larger or more advanced organization, it may very well be worth investing in IAM.
We recommend Okta for most organizations with more than 150 employees. Okta’s single sign-on product claims to make it 50% faster for users to sign in to applications, as well as reducing IT help desk requests by half. This makes life easier for the folks on your IT and operations teams while meeting “security efficacy” goals. Okta also has real-time security reporting built-in, so you can be alerted anytime something suspicious takes place, affording peace of mind.
Putting Your Stack Together
In summary, these are our overall recommendations for boosting the security of your team’s SaaS operations.
For most businesses, here is what we recommend:
- Put people at the center of your security policies
- Use G Suite Business or Enterprise for overall operations and employ available security configurations
- Enforce two-step verification on G Suite
- Leverage Google SSO where possible, and use TeamsID (via Google SSO) to manage shared passwords for products that don’t support Google SSO
- Deploy Blissfully SaaS monitoring to keep a close eye on all applications in one convenient dashboard
For Enteprise, use an IAM like Okta to manage identity and access
We hope these security guidelines will help your organization meet the goal of improving SaaS and cloud security by employing practices and standards that are both attainable and effective at protecting you against a variety of risks and threats. The best strategy is the one that can be implemented and maintained, so work to improve your security over time by implementing the best practices outlined in this guide. And if you need a hand implementing this, just let us know!