Your practical guide to SaaS security

The average SMB uses more than 100 SaaS products, often leading to SaaS chaos and security exposure.

While SaaS can help you do your job more efficiently, it can also introduce security concerns if not properly locked down.

In this guide, we’ll share best practices for building a realistic and usable SaaS security stack that’s focused on how modern organizations conduct business.

We focus on SMBs as very small businesses may not be ready or need to implement some of these access controls. On the other end of the spectrum, enterprises will find many of these recommendations appropriate but may need to take things a few steps further to fully mitigate risk.

Additionally, it’s worth noting that this guide is focused on organizations who use Google Suite. It won’t be as relevant if you operate in Office365. It’s also focused more on the security of SaaS operations (versus securing your core network or production servers).

SaaS security

SaaS security is all about establishing safe and secure practices for your SaaS applications. This involves securing user and organization data as well as any customer data located in the applications.

Since most SaaS environments live in the public cloud (versus on-premises), they are subject to more potential data security risks and data breaches, making SaaS security a priority for all organizations.

Security starts with people

When it comes to security, your people can be your best defense line or your weakest link.

It’s best practice to build your security requirements and procedures around your team, such as taking the time to understand what’s intuitive and user-friendly and thus most likely to be followed.

Generally speaking, we believe that you should rely more on systems, guardrails, and tools over user actions and training. In other words, take human error out of the equation whenever possible and make security a shared responsibility.

Many organizations tackle security on an as-it-comes basis. This is dangerous as it often means you aren’t thinking about security until something bad happens. Both ad hoc or absent security policies can open you up to a whole world of vulnerabilities.

On the other side of the spectrum, some organizations employ arcane security practices (like forcing users to change their passwords at regular intervals for no real reason) that are not user-friendly and are often skirted by employees.

The SaaS security spectrum

The spectrum of software as a service security and access helps you understand where your organization falls today.

As you can see above, most organizations start off with no policies or systems. In this situation, the onus is on each employee to manage their own security and potential security breaches, which means they will typically re-use passwords, share them via insecure spreadsheets, or create other systems that work for them — but not for the company.

The best case is to use a single access point to unlock access to company applications across all software categories and to create an easy centralized point to enforce human-friendly security policies.

The rest of this guide helps get you from wherever you may be on the spectrum to a blissful state of secure SaaS usage.

The foundation: configuring G Suite for security

If you are using G Suite for your business, you already have quite a few security tools and configuration options at your disposal.

However, these are no good to you unless they are thoughtfully implemented and automatically enforced — recalling our concept of people-first security.

Here are the areas you should be looking at securing when it comes to your G Suite applications.

1. Multi-factor authentication

The single best thing you can do to improve your organization’s cloud security is to turn on and enforce multi-factor authentication (MFA), especially your primary email and collaboration platform. This greatly reduces the harm that an attacker can do with stolen credentials.

While this may seem like a no-brainer, data shows that the average company only has 37% of their employees using multi-factor authentication on their main G Suite account.

This number gets even worse for smaller and early-stage companies, where just 22% of employees at companies with less than 50 people have multi-factor authentication enabled.

Another benefit of implementing strong Google-based authentication is that many SaaS providers and products are increasingly supporting Google Single Sign-on, which means that if you enforce MFA for Google, you’ll automatically get those benefits for all apps that use Google SSO.

2. Chrome settings

The Chrome administrator for your organization can set up policies that dictate how employees use their Google accounts on Chrome devices, Android devices, and the Chrome browser.

Since these policies are implemented at the account level, they will apply no matter what device the user signs in from. (However, do note that the policies won’t apply to users who sign in as guests or use a Google account from outside the organization.)

Because these settings can be applied across several devices and the Chrome browser, they are a good way to enforce cybersecurity without a ton of extra effort from your users or your IT team.

To implement these settings, you’ll first need to turn on Chrome management. Then you can set up user policies, which can be divided up by team to help you apply certain policies to specific groups of users. Policies can include enrollment controls, apps and extensions allowed or required, Chrome web store permissions, Android applications, and a wide range of other security measures. View the complete list here.

3. Team Drives

G Suite Team Drives are shared spaces for teams to store and access their files. This feature is included in the Business and Enterprise versions of G Suite. Files in Team Drives belong to the entire team rather than individuals.

This makes life easier if someone leaves your team because there is no need to transfer document ownership or reset permissions. The files stay put regardless of any individual’s status, so employees can get work done without interruption. Team Drives is available on several tiers of G Suite, and you can learn more about it here.

There is also a security benefit to using Team Drives. When you add new members, you can decide whether you want to give them full access to upload, edit, and delete files or whether you want to restrict them to certain activities at the user level.

It’s easy to add members, set and change member permissions, and remove members as needed.

4. SaaS security monitoring

You can’t say your organization is secure unless you know what SaaS solutions everyone in the organization is using and can say that they are employing security best practices.

With SaaS security monitoring, you can access an always up-to-date list of the SaaS vendors and cloud applications in use subscriptions across your company—including “shadow” and unsanctioned applications.

You can view full adoption trends for your whole organization, including details by department and products. SaaS security monitoring allows you to easily audit what permissions users in your organization are giving to which applications and get updates on all new additions or misconfigurations.

This is a crucial layer of security for your SaaS stack. The ability to manage employee access to your required SaaS apps by department, and to consolidate licenses, will give you unprecedented visibility into your SaaS stack.

5. SaaS access and password management

Today’s IT world is centered on SaaS. This means it’s critical to enforce secure access to all of your SaaS applications. You can’t risk having ad hoc policies around how employees access SaaS applications, which unfortunately tends to be the status quo.

When companies don’t have policies (or have policies that are hard to comply with), employees tend to either store passwords in an unsecured file or reuse the same password across multiple applications.

A 2020 Verizon study found that 80% of confirmed data breaches leveraged weak, default, or stolen passwords. If you don’t want your organization to be the next victim, it’s time to tighten up your controls.

Unfortunately, your browser’s built-in password management feature isn’t secure enough. There have been several successful attacks against browser-based password storage, so we don’t recommend that you or your employees use these features. You can and probably should turn off the ability for people in your organization to use Chrome’s password manager, which you can do in the Chrome settings.

Our recommendation is to use TeamsID, which offers various password management security solutions for organizations large and small. In our view, the best feature of TeamsID is its ability to link to Google’s SSO. This means that employees don’t have to remember yet another password, and instead, you can enforce strong passwords and multi-factor authentication on G Suite, which will unlock your shared passwords in TeamsID.

Beyond that, TeamsID has all the key features you’ll need in a team password platform, including the ability to have “secret” passwords that can be filled in but not seen, browser extensions, native applications for many platforms, easy team management and sharing, and more.

We use TeamsID internally and have been very happy with it.

An excellent alternative is LastPass, which has many of the same features. However, it doesn’t have the Google SSO option. It also has some additional configuration challenges and is not quite as easy to use for team sharing. For example, the onboarding process requires you to set up a temporary password via email, which is not ideal. LastPass does, however, have a few additional workflows and security features (e.g., robust API access and SAML configuration) available to some of the enterprise tiers, which might be valuable depending on your business’s needs. 1Password is another great password management option, and if you're interested in moving between password managers see our guide on migrating from LastPass to 1Password.

Either of these options is far better than simply letting your users reuse their passwords across several services, opening you up to credential attacks on a large scale.

6. Identity and access management

As you build out your IT team and scale beyond 100-200 employees, start thinking about deploying a unified identity and access management (IAM) solution. This can both streamline the end user’s experience and protect the entire organization from security issues. IAM solutions work by authenticating a user once and then unlocking all apps for them (rather than users having to sign into each app individually).

IAM offerings are a bit like Google Single-Sign-On on steroids, offering many more configuration options and deeper integrations. For smaller organizations, this might be overkill, especially if you won’t be able to or need to leverage features like Active Directory sync (smaller, newer companies might not even have this) and SAML integration (typically only available on more expensive, enterprise-level SaaS pricing tiers). But if you are a larger or more advanced organization, it may very well be worth investing in IAM.

Some of the key players in the IAM market today include Okta, OneLogin, and Ping.

We recommend Okta for most organizations with more than 150 employees. Okta’s single sign-on product claims to make it 50% faster for users to sign in to applications, as well as reducing IT help desk requests by half. This makes life easier for the folks on your IT and operations teams while meeting “security efficacy” goals. Okta also has real-time security reporting built-in, so you can be alerted anytime something suspicious occurs, affording peace of mind.

SaaS security: putting your stack together

In summary, these are our overall recommendations for boosting the security of your team’s SaaS operations.

For most businesses, here is what we recommend:

• Put people at the center of your security policies.
• Use G Suite Business or Enterprise for overall operations and employ available security configurations.
• Enforce two-step verification on G Suite.
• Leverage Google SSO where possible, and use TeamsID (via Google SSO) to manage shared passwords for products that don’t support Google SSO.
• Deploy SaaS monitoring to keep a close eye on all applications in one convenient dashboard.
• For Enterprise, use an IAM like Okta to manage identity and access.

We hope these security guidelines will help your organization meet the goal of improving SaaS and cloud security by employing practices and standards that are both attainable and effective at protecting you against a variety of risks and threats to your sensitive data.

The best strategy is the one that can be implemented and maintained, so work to improve your security over time by implementing the best practices outlined in this guide.

‍