At Detexian, we often get asked “What is a good baseline SaaS Security Policy?”. This is a question we’re always up to answer. In fact, helping people with this is one of the reasons we exist!
We recommend the following minimum security baseline be applied to all SaaS holding business critical or customer sensitive data:
- Require MFA for Non-Privileged Accounts: MFA has been shown to block phishing and account compromise attacks by 99.9%;
- Identify and monitor Guest / External Accounts: Every 6 months all external and guest access should be checked, reviewed and removed if no longer needed;
- Identify and monitor Privileged Users: Knowing who are privileged users in your SaaS solutions is a critical baseline policy, without knowing who they are, when they’ve last logged in you’ll never be able to see if they’ve changed;
- Require MFA for Privileged Accounts: As privileged users can change configuration, users and destroy or export data, it is critical that their accounts are protected from compromise or takeover with MFA.