Elba and Forest Admin - SaaS security best practices

Do you know who has access to your data? If yes, are you entirely sure that you can trust these people?

Elba does not simply discuss security, it is embedded into its culture and is an integral part of how they operate – its main mission is to secure modern businesses. Although security isn't Forest Admin’s core business like it is with Elba, it surely is at the heart of their solution. 

Elba and Forest Admin decided to sit down and exchange on various aspects of SaaS security – how to improve it and the main pain points both company faces on the daily to ensure that their customer can sleep soundly. 

Partitioning your data is key

That word surely is a mouthful, but it pales in comparison to the headache you’d suffer if your organization does not use the right tools to ensure the integrity of your users’ data. 

Forest Admin considers it a must and – through its Team and Roles features – gives the possibility to massive organizations to clearly compartmentalize operations so that everyone’s mission is efficiently scoped. 

A manager probably does not want one of the company’s new-comers to have access to sensitive information like invoices or transaction details. Likewise, a company hiring freelancers for punctual missions will most likely want to integrate these freelancers in operations to facilitate collaboration, but with strict limits as to what they are able to have access to.

While criminal hacking is often viewed as the most dangerous threat, most security leaders are more concerned about inadvertent and negligent data breaches than malicious ones.

Most employees are not malicious threats or “out to get” their companies. Many data leaks occur as a result of employees who lose sensitive data in public, provide open Internet access to data, or fail to restrict access per organizational policies

These are considerations that both Elba and Forest Admin customers have everyday, and pain points that we take seriously so as to provide an adequate solution. 

This is also why we decided to sit down and exchange on these topics, so that we can educate those interested in the matter. 

Security is more than a checklist

If you think that you’re able to secure your company by only building a checklist consisting of, let say, 2FA authentication and enforcing password policies – it’s a good start but far from enough.

Forest Admin puts in a lot of efforts to work closely with its customers – many of them in Fintech and handling sensitive information – to demonstrate not only the potential of the solution but also how secure it is.

Elba, on the other hand, helps you secure your SaaS stack by building a modern security hub. 

They are currently able to integrate with Google Workspace, Github and Slack, and are working relentlessly to expand its integration to multiple SaaS like Notion, Hubspot or Salesforce.

Collaboration is a blind spot for IT teams

We mentioned interns earlier on, but have you heard the tale about that one intern who had more access rights than the company executive? 

Well, it’s not as far-fetched as it seems.

While most organizations have policies in place for assigning new access rights, they tend to neglect the fact that these rights need to be revoked once they have become obsolete. Not only are excess permissions risky from a cybersecurity perspective, they can also violate compliance regulations.

Elba experts recommend performing company access reviews every two months and reviewing key document access every four weeks.

Modern teams rely heavily on collaboration apps – such as Slack or Google Suite – to drive business enablement. These apps have entered a new era: design teams share wireframes on Figma, product-review them on Loom, GTM teams brainstorm on Miro, and all teams gather this information on Notion.

To be functional, all these apps need to be granted permission to access your users and company data, from drive files to calendars, Gmail inboxes, Github repos etc. 

All too often though, these accesses are given without a second thought.

All company data is constantly being exchanged by internal and external users, and it’s here to stay. This is undoubtedly a blind spot for security teams, which too often are constituted only by the CTO – or an IT manager for most startups. 

As a consequence, they fail to have a global view of all data shared. 

It’s very hard to assess the potential risk of an app and its associated permissions, let alone 100 of them. They simply don’t have the business context to assess if the sharing is risky or not – it is way too time-consuming to solve this problem at scale.

Building a security culture

If you are wondering how many documents are shared outside of your organization, what kind are these, who sees them and – shortly put – how vulnerable your organization is, don’t wait to find out.

The key to security is to stay ahead. Regardless of whom you decide to talk to, make sure that you are proactive on these issues. Talk to the right people who make security their daily bread, and be sure that you are using the right back-office tools that enable your organization to strictly limit what people can see and share. 

––––––

Elba is the modern security HUB for modern teams. With their plug-and-play solution, they can detect security issues and guide end-users on how to fix them. Among their customers are Brut.media, Resilience and Matera. Get in touch with them here. 

Forest Admin is the perfect tool if you wish to better organize your Teams and allocate roles to ensure you control who sees what, according to the relevance of their mission. Among their customers are Qonto, CoachHub, Heetch and Slite. Get in touch with them here.