How to Build Security for your SaaS User Communications
Modern SaaS application providers handle sensitive user information every day, from customer names and email addresses to application code and third-party API secrets. It is thus more important than ever for web applications to adhere to the highest security standards, not only to maintain their business reputation and avoid financial losses but also to protect their users.
Customer communications is one of the components of SaaS security that is often overlooked. In this article, we cover why you should look closely at how secure your customer communications are and implement strict security measures for emails, push notifications, and other communications you send to your users. We also offer some recommendations to get you started on this security journey.
What does security in modern SaaS applications look like?
Many modern SaaS applications are hosted on a cloud platform and accessed via the web interfaces and APIs. They might also rely on third-party managed services, such as those offered via Amazon Web Services (AWS). Examples of such services are databases, computing resources, and deployment of machine learning models. When designing security controls for an application, all these components need to be considered.
In a traditional on-premises software deployment, the software vendor only develops the software but doesn’t take care of the hosting or information storage. The end user of the software (or rather, their IT department) is responsible for the security of their data when deploying software they purchased. In the cloud, however, the SaaS provider is responsible. SaaS applications can become core pieces of the end user’s application stack, and as such process personally identifiable information (PII), like customer and employee records, application code, or third-party secrets and API keys. Specialized security measures for today’s SaaS services are thus absolutely critical in order to secure all that sensitive information.
What types of security measures does an early-stage SaaS application running in the cloud require? Ideally, the application should be built with a security mindset from the beginning. If your application relies on cloud or other service providers, especially giants like AWS, they will have stringent security on their end. But you’ll need to ensure that every possible point of connection between your application and the cloud provider is protected. Accountability and data ownership with these providers should be clearly delineated. Check your cloud provider’s documentation for security best practices and follow them consistently.
The measures you need to implement within your application and infrastructure include encryption, which scrambles data so that only those with the right key can decipher the information, and tokenization, where sensitive information is exchanged for tokens that are used instead. While tokenization or encryption can’t guarantee complete protection against a breach, they can prevent any actually usable information being stolen in the event of a breach.
All customer data should also be backed up securely. Data loss events can be as problematic for a business as security incidents, so the capacity to restore information from a backup in a modern SaaS application is crucial for successful service recovery.
Continuous monitoring of the entire infrastructure is also necessary to respond quickly to any incidents or security breaches and prevent problems early.
Why security especially matters for customer communication
The customer communication infrastructure of SaaS providers must have access to PII like names, emails, and phone numbers to be able to send anything of value to its users and keep them engaged. Because the personal information can be used very effectively by a malicious actor if they manage to obtain it, the user data needs to be protected. Any leaks of customer data, whether caused intentionally by malicious actors or unintentionally by the SaaS company itself, can be disastrous for all parties involved.
Governments realize the risks the companies expose themselves by processing PII and have put guidelines in place for securing customer data. In the European Union, for example, the General Data Protection Regulation (GDPR) came into force in 2018. It outlines specific guidelines for managing user data securely and the penalties that will be imposed if an organization doesn’t comply. In California, the California Consumer Privacy Act (CCPA) of 2018 was enacted in order to give California residents more control over how businesses collect and process customers’ personal information. Its strict regulations are similar to those of the GDPR. In 2021, Virginia also followed suit with strict privacy laws by authorizing the Consumer Data Protection Act (CDPA) to take effect in 2023.
SaaS providers have to pay more attention to data protection and security than ever before, not only to protect their business and their users’ data, but also to avoid massive penalties for breaches that might have been prevented.
The number and scope of security breaches keeps growing year by year, and has greatly increased since the change to remote work. According to a 2022 study by the Identity Theft Resource Center, the number of data compromises in 2021 was 68% higher than in 2020 and “23 percent over the previous all-time high.” That’s staggering. An interesting point in their study is that the number of victims has actually decreased, allegedly as hackers focus more on trade secrets and specialized data.
In August of 2021, Microsoft Exchange email servers were exploited by hackers through security vulnerabilities. These vulnerabilities had not been property patched in the months that Microsoft had known about them, and Microsoft’s own customers weren’t properly informed as to the severity of these vulnerabilities. Separately, in the last couple of years, Microsoft’s Office 365 services have seen high numbers of spear phishing attacks to maliciously gain access to confidential information.
More recently, on March 18, 2022, Hubspot, a CRM tool used by companies to manage marketing and sales, was hacked via an employee account. In the same month, news also dropped that Okta, which provides cloud software to companies specifically for access management, had been hacked by a group as early as two months prior! Okta blamed the breach on a contracted company that provides customer support and was given access to Okta’s internal information.
What’s the best way to address communication security concerns
Recommendations for the best security practices are constantly being developed at the same time as hackers are improving their methods and cloud applications are becoming more prominent, such as the Center for Internet Security’s Controls v8 guidelines. Stringent security practices for customer communications, like notifications, are especially important because they’re an easy point of entry for hackers that exploit unaware users.
As a notification provider, we have put a lot of thought into security measures. Here, we share our top recommendations regarding best practices for general security controls.
Internal reviews and processes
Our first recommendation is to establish internal reviews and processes within the organization. This can be in the form of a security review checklist. Internal reviews should cover policies on password creation and multi-factor authentication, management of privileged access and general access controls, and new employee onboarding processes. More specifically, audit your employees’ access within the organization, limit that access to a need-to-know basis, and set up an approval workflow for any limited access to privileged accounts. Finally, ensure that your employees are using multi-factor authentication and creating strong passwords.
The security review checklist should also include evaluating the scope of the infrastructure such as networks, devices, and any other connections to third-party providers. As you assess, create incident response plans for issues or breaches, and use them to detect any possible vulnerabilities in your infrastructure. Make sure to test these incident response plans periodically to ensure they stay up to date.
These steps should be incorporated into your documentation as proof of process that they are actually being implemented. Having clear-cut documentation in place means that employees are more likely to follow through with your security protocol.
As you are compiling documentation and specific review processes for the above items, aim to define your privacy policies for the public as well. Before there is ever a breach, it might be helpful for your users to educate them on the data you collect and process and what that means for them.
Our second recommendation is to incorporate continuous monitoring of your infrastructure. Without monitoring, your response to a security breach can be too late. Monitoring not only enables your developer team to respond quickly if any issues or alerts arise, but might also offer insights into how you can improve your security controls overall. With SaaS applications combining several different providers or components, it is especially integral to be able to visualize the general health of your application. User access and behavior and administrative access and behavior should be monitored as both might be indicative of a breach in a SaaS application. Currently, there are many security monitoring providers on the market. At Courier, for example, we use Datadog to observe our application’s components.
Third, software automation can help streamline your security processes. If you need to allow temporary access to privileged accounts or information, approval workflows can be automated for efficiency. Collaboration controls can also be automated so that employees don’t share confidential information inadvertently. If you’re looking to certify your organization to data management compliance standards, like SOC2, ISO 270001 or GDPR, you can also opt for automated monitoring by service providers such as Vanta or Drata.
Our fourth recommendation, if you want to heavily fortify your security controls, is to have a third-party service audit your infrastructure and processes for any vulnerabilities. You can either hire a consultant or use application vulnerability scanners. Examples include Probely or Tenable. If you are looking to gain any compliance certifications, these security audits can offer a headstart by offering you proactive insights toward best practices.
Developing with security in mind
As the number of data breaches increases and security attacks become more sophisticated, it is absolutely essential to integrate the most up-to-date security practices into both your application and your company organization. It’s no longer possible to skimp on security controls to focus on growing your business, especially as strict laws and regulations are enacted all over the world that would impose tough penalties and fines on non-compliance.
As we have reviewed in this article, the risks of data breaches now include your company reputation, financial losses, and further damages like identity theft for your users. Your customer communications can be one of the key sources of vulnerabilities for attackers to exploit. The way forward for any SaaS provider is to put security first. At Courier, we always strive to maintain the top standard when it comes to protecting sensitive data.
To stay informed on upcoming content, subscribe below or follow us on Twitter at @trycourier!