Security is different in the cloud. Your attack surface is bigger.
There are a number of ways that Software-as-a-Service solutions differ from locally installed technology, but there is no greater point of divergence than security. Locally installed software has one huge advantage over SaaS: attackers have to find a way into your network to attack local solutions. With SaaS, every web browser is a potential point of entry, which means the possibility of a security breach is significantly greater.
With a security breach comes the possibility of data loss. No matter how sophisticated your cloud vendor’s hardware redundancy is, backup drives can’t protect you from a hacker instructing the system to delete or corrupt data. Below, we outline three simple tactics for securing your attack surface, and reducing the possibility of data loss due to a breach in your SaaS security.
Passphrases, Not Passwords
Hackers probably already know your password. First, the 10 most common passwords haven’t changed much over the last decade—123456 and password are perennial favorites—though fewer users employ them. Second, users are notorious for employing the same password for multiple apps, websites and services. While Amazon, Google or Netflix probably won’t lose your password, that janky new iOS app may accidentally expose your favorite password, and now all your accounts are at risk.
Hackers take stolen password files and write programs that attempt those passwords on a number of major sites—credit cards, banks, Amazon and Google, all of whom grant them access to money or, even more dangerous, your identity. These same programs try variations on the stolen passwords (and the most common passwords). Longer passwords take more time to vary. More varied passwords take more time to guess.
That’s why security experts recommend passphrases, not passwords. A random string of letters, numbers and symbols are hard to remember. That’s why, even when a services makes you include letters, numbers and symbols in your passwords, rarely does anyone choose a password longer than the minimum length of typically seven to eight characters. Hacking programs can chew through those 100 million combinations in a relatively short amount of time.
A passphrase like my mom prefers coke to pepsi or tyrion is the best lannister have 28 characters, which is a length of 10 octillion possible combinations—that’s 10 billion billion billion possible passphrases. In short, passphrases are easier to remember than good passwords, and are harder for hackers to programmatically guess.
Passphrases are your first, best defense against security breaches.
Employ Two-factor Authentication
Many SaaS solutions offer a two-factor authentication option, which combines a password (or passphrase) with some other form of user identification. Thus, if a password is stolen, a hacker still doesn’t have all the information necessary to access a SaaS account.
Banks have used two-factor authentication at ATMs for decades. It’s not enough to steal a debit card; a hacker also needs your PIN to use the card—and simply stealing your wallet won’t confer the latter to a thief. Google employs a smartphone app called Authenticator to enforce two-factor access to user accounts. A Google user must enter both a password and a constantly changing six-digit code generated by Authenticator to access a Google account protected by two-factor security. Thus, a hacker may steal or guess a password, but unless they also steal the user’s smartphone, the password is useless.
Two-factor authentication doubles down on access security for your SaaS applications.
For a large enough pool of users and a long enough span of time, neither passphrases nor two-factor authentication can keep your data safe indefinitely. Eventually, one of your users is going to write their passphrase on a Post-It note and leave it stuck to their monitor for all the world to see, or leave their unlocked smartphone at a coffee shop where anyone can pick it up.
When that day comes, your best defense is a cloud-to-cloud backup of your SaaS data. An independent, third-party backup of your SaaS application data means that an intruder can’t access every copy of your irreplaceable business information. Backing up to a cloud data store means that second copy of your information enjoys all the hardware redundancies and failover protections that enticed you to move your primary data to the cloud in the first place.
While a cloud-to-cloud backup and recovery system can’t prevent the data loss due to a security breach, it can undo the damage with speed and ease. Cloud-to-cloud backup is an insurance policy for your SaaS data.
Now that’s a secure backup plan.