DevOps Challenges Every B2B SaaS Must Overcome To Succeed: Staying Secure and Compliant

  • April 26, 2021

Protecting your company’s assets is paramount in today’s world. This means taking security and compliance seriously. Over 1001 data breaches happened in 2020 in the US, and 158 million people were affected by data exposures caused by lax security practices. Not only must you protect your assets, but you must protect your client’s sensitive information, or companies will simply not do business with you. 

While there are significant differences in security and compliance, they go hand in hand. Security relates to a set of measures tools and processes put in place to protect company assets. In contrast, compliance is mainly focused on alignment with regulations, standards, and/or best practices. Compliance is mandatory in the B2B SaaS world. You will struggle to gain larger clients if you lack compliance, and insurance won’t cover errors and omissions. Every company needs to address both security and compliance if you hope to stay in business. 

Security Best Practices

When putting in place basic security Cloud infrastructure, we recommend following a few best practices. 

Secure Cloud Accounts and Networks

Begin by segregating workloads by account, based on their function and compliance or data sensitivity requirements. The networking layout in each account must be organized in at least two subnets: public and private. Public is only for services that strictly require to be exposed, and everything else must be in the private network. When it comes to your network, you’ll want to use the defense-in-depth concept. This will give you multiple layers of security mechanisms and controls in order to secure the network and data’s confidentiality, integrity, and availability. 

 

Furthermore, access to the resources and internal services in your company’s private network using a VPN or SSH.

 

Securing Your Data

Data must be encrypted when it is in transit and at rest using SaaS data encryption. It must be secured at all three of these points; in use, in transit, and at rest. Once it is encrypted, your data should be classified to ensure it’s being used for the right purpose and with the right people.

Identity and Access Management. 

Identity and access management are critical parts of an information security program. You will want to ensure that only authorized and authenticated users and components can access your resources, and only in a manner you intend. It is essential to use Multi-factor Authentication (MFA) for anything and everything. Make password complexity mandatory at your organization.

Give users the minimum amount of access needed to do their job according to the Least Privilege Principle. Make use of secure secret management. You will want to enable AWS Security HUB if you are in AWS. Use IAM Roles, Services accounts, or equivalent. Try to avoid managing credentials when possible; cloud providers offer tools like AWS IAM Roles, to grant access to resources without managing credentials.

Implement Security in the Pipeline


Security is not just for your data or access management; you will want every step of your development pipeline secure. It is important to implement security in the development lifecycle as early as possible. This is often referred to as DevSecOps. To being doing this:

 

  • Enable static analysis or Static Application Security Testing: your source code must be analyzed to find security vulnerabilities.
  • Enable Dynamic Application Security Testing:  find security vulnerabilities and weaknesses in a running application.

 

The OWASP Top Ten is a great starting point of the type of vulnerabilities you should be scanning.

 

Audit Tooling

 

Your company will want to document and organize your security records, audits, alerts, and other critical information. 

 

  • A Security HUB will provide a single place in which you can organize your security alerts. 
  • Use audit trails to catalog events or procedures to provide documentation that will authenticate security actions.

 

Getting Compliant


Compliance with well-known certifications like ISO, SOC2, etc., will be required sooner or later, but to start, you can use CCM from CSA to demonstrate to your clients that you can implement a formal approach to security. While they are expensive and time-consuming, certifications demonstrate your company’s maturity and knowledge to your clients.

 

The Cloud Security Alliance (CSA) is the leading organization committed to defining the best practices used to establish a secure and protected cloud computing environment. CSA will provide you with the tools to self-assess your organization’s maturity against any of the market standards, completely free.

 

The process consists of a series of self-assessments guides with checklists provided by CSA. CSA has been evolving this methodology since 2009 and getting more and more coverage on each version, including the current version, 4.0 of CMM (Cloud Control Matrix). Once completed, the outcome is a maturity level that can be cross-referenced with other companies and also with the market standard of your choice.

Conclusion

It is never too soon to start improving your security and compliance protocols. When your organization takes security and compliance seriously, not only will your own assets be more secure, but your clients will have confidence in your expertise. Appropriately applied, these best practices will help your company stay secure and compliant.