Software-as-a-service (SaaS) companies will see significant growth in the coming years as the reliance on SaaS solutions continues to grow. According to Forbes, SaaS revenues are projected to increase from $200 billion in 2020 to $369.4 billion in 2024.
But before SaaS SMBs can fully realize this growth opportunity, they need to lay a foundation for success by optimizing their own technology stacks. That means not only making smart choices about the stack elements they select but protecting those technology assets from internal and external security threats.
At Tugboat Logic, our job is to help companies of all sizes meet rigorous security and compliance criteria, which involves staying ahead of emerging security issues and identifying the technologies and best practices that can help neutralize them. Here are our top tips for securing the SaaS SMB stack.
1. Tighten Stack Security Settings
Most of the technologies that make up today’s stack have robust, built-in security features. But to protect the stack, they need to be configured and managed optimally. Here are some simple ways to strengthen your stack by adjusting the settings and permissions.
- Enable strong password features for active directory, server and database accounts, including an eight-character minimum length, maximum password complexity, a password history of 24 passwords, a maximum password age of 90 days, and lockouts after 5-10 attempts. You can find some tips for stronger passwords here.
- Set permissions on your code repository. We conduct routine security checks on hundreds of SaaS companies, so we know from experience how often SaaS companies forget this crucial step and accidentally make their proprietary code accessible to the public.
- Secure individual workstations with disk encryption and passwords. Workstations are often a constellation of weak spots where external threats can sneak in, so make sure your data encryption is enabled on every machine. For Windows workstations, enable BitLocker, for Mac, enable FileVault, and for Linux, it’s dm-crypt.
- Set up multi-factor authentication using one or more of the many options available: codes generated by smartphone apps; badges, USB devices, or other physical devices; soft tokens and certificates; fingerprints; facial recognition; retina or iris scanning; behavioral analysis; and answers to personal security questions.
2. Protect Against Human Error (and Mischief)
Tightening up settings and permissions will go a long way toward securing your stack, but it’s also important to take steps to monitor and limit access to your applications. Whether in error or in anger, humans can wreak havoc on your systems, but taking a proactive stance on system access can help to prevent or limit the damage. Start by ensuring these three processes are in place.
- Limit access to applications through provisioning and approval. Grant each user the minimum access privileges needed to perform their job, stay audit-ready by documenting approvals via email, ticket or checklist. And maintain a spreadsheet to track who has access to the platform and who granted the access. User access should also be revoked as part of your standard, documented offboarding procedure.
- Manage user identities by using unique user IDs that support accountability by linking users to their actions and prohibiting the use of shared IDs unless they’re business-essential, approved, and documented.
- Monitor and log all admin activities, including login attempts, changes to data or changes to functions, security configurations, permissions and roles so that unusual activity can be investigated and resolved within the timeframe set by your incident management process.
3. Fill the Gaps in Your Security Stack
While the built-in security features included in many applications can go a long way toward safeguarding the stack, they don’t offer enough protection on their own. The SMB stack needs to include dedicated security applications to safeguard the company’s technologies, IP, employees and customers.
Yet according to a 2021 survey conducted by Tugboat Logic, many SaaS SMBs are missing key elements of the security stack. 39 percent of survey respondents reported that they do not currently have an intrusion detection and penetration system (IDPS) in place. 25.3 percent don’t have penetration testing software in place and 14.6 percent do not have a security information and event management (SIEM) solution in place. And 9.6 percent of respondents don’t even use antivirus software.
To meet the baseline for stack security, make sure your stack includes these four key security applications. Here are the top recommendations from our security experts.
Top IDPS* Options
*An IDPS monitors network traffic and alerts administrators when indications of an attack appear so that they can take swift action to minimize damage.
Top Penetration* Testing Options
*Penetration testing conducts authorized manual or automated attacks to identify system vulnerabilities and enable admins to proactively tighten security.
Top SIEM* Options
*SIEM aggregates and analyzes the activity that takes place across the entire IT infrastructure so that admins can detect and take action against suspicious activity early.
Top Antivirus Options
- Windows Defender (for Windows OS workstations)
- Crowdstrike (for Windows/Mac/Linux OS workstations)
- Microsoft Defender (for Windows servers)
- ClamAV (for all server types)
4. Consider Getting Compliant (SOC 2, Anyone?)
If your company is serious about maintaining rigorous security protocols to protect itself and its customers and if you’re starting to attract business from larger enterprises, it’s a good idea to start evaluating industry-recognized security standards such as Systems and Organization Controls 2 (SOC 2).
SOC 2 evaluates your company’s ability to securely manage the data you collect and use during business operations. Undergoing a SOC 2 audit helps you ensure that you are following security best practices and shows your prospects and customers that you are able to meet the security criteria they need to see before confidently sharing their data (and their customers’ data) with you. Learn more about SOC 2 for SaaS SMBs here.