The most secure building is the one with no windows or doors. But, while that building may be very secure, it's probably not helpful unless the point is to house something until the end of time.
Security is a big part of doing SaaS integrations well. And it takes work. The challenge of B2B SaaS integrations is that they come with security vulnerabilities baked in. After all, to pass data from your SaaS app to your customers' SaaS apps, we need to have at least one window or door, as it were, in each system.
Why integration security is important
Data drives most businesses and is a big part of what gives one company a competitive advantage over another. And as an increasing number of companies integrate their SaaS apps, securing that data becomes essential to protecting those companies' present and future operations.
A single data breach can have a massive negative impact on a company. IBM notes that the average cost of a single data breach today in the United States is $9.44 million. And that doesn't factor in the long-tail costs to brand and reputation.
In addition to the direct and reputation costs of a data breach, there are compliance costs. Having and reporting a data breach can open your company to specific liabilities. Based on where the breach occurred and how serious the breach was, your company may be the subject of investigations under GDPR, CCPA, or another privacy or security regulation.
Integration security doesn't just happen
Integration security isn't just important for your company; it is critical. And it's vital for every one of your customers for whom you are building B2B SaaS integrations. Based on what we've learned in assisting our customers with their integration security concerns, here are six items for your integration security checklist as you plan, build, or update your B2B SaaS integrations and integration ecosystem.
1. Start with good authentication
Authentication (auth) is the starting point for integration security. As a rule, because there are always better options, you'll want to avoid basic auth for any B2B SaaS integrations.
At a minimum, you'll want to use API keys. When doing so, you'll want to set up unique API keys (and the corresponding scope) for each company or user accessing your SaaS integration. Never use a single API key and scope for multiple companies or end-users. Doing so increases the probability that someone will inadvertently gain access to data that is not theirs or that the credentials will be abused in ignorance or on purpose.
But the better approach would be to use OAuth 2.0. In this scenario, each company that connects to your app via an integration should use unique OAuth 2.0 credentials. And, if individual users at a company are connecting as themselves, they should also use unique OAuth 2.0 credentials.
2. Validate all inputs
API documentation should define acceptable inputs, but the integration itself should enforce those rules.
Credentials and other integration config options should have built-in data validation to ensure that any message metadata follows defined patterns. And the integration data itself should match specified schemas or patterns. Otherwise, the integration should fail to process the data.
3. Keep credentials separate from source code and data
When integrating multiple systems, you should have multiple sets of credentials or API keys to manage. You'll want to ensure that you use good vaults with proper access management to ensure that these remain secure. You should never include credentials in the source code for the integration.
At the same time, keep credentials separate from the integration data itself. The standard way to maintain this separation is to pass any encrypted keys via message headers rather than in the message body.
4. Connect with trusted systems only
You should only connect with trusted systems, and your customers should only connect with trusted systems. Your integration should access your customer's data through a verified app owned by your organization. That app should define the organization, including branding, privacy policies, support contacts, data usage contacts, and more.
Don't use unsigned or unverified third-party apps as part of your integration ecosystem. Customers connecting with your app should be assured that it's your app and not someone else's.
As part of this, your integrations shouldn't be requesting third-party services from a front-end app (UI). Instead, your integration should be run with a back-end app that connects systems via APIs or another means.
5. Be a privilege miser
Even when you've ensured that individual companies or users have unique credentials, you'll still want to ensure that you are providing the integration (and anything that's part of it, including the API) with only the needed access. We see privilege bloat on mobile apps where a notes app says that it "needs" access to absolutely everything else we've stored on the device.
In contrast, integrations should follow the principle of least privilege – giving the integration (and, by extension, an API or user) the minimum level of access necessary for the integration to run successfully. For example, if you have a Slack integration that posts messages to a single channel, it doesn't need access to read users' private messages. You can always add more privileges, but it's small comfort to restrict them after a security breach.
6. Log and monitor everything except the customer's data
Many attempted data breaches fail. And that's a good thing. They fail for different reasons, but one common reason is that a system is being actively monitored, and unusual or unexpected access attempts are noticed before something bad happens.
Logging can help after the fact (whether or not a malicious access attempt is successful). However, you'll want to be sure that you are only logging metadata about integrations and their executions and not any customer data passing through the integrations.
Conclusion
Once you have your integrations set up and you've determined that everything is as secure as possible, you've made a good start. Regular audits (integration security assessments) are also a must, as are security best practices for new integration developers and DevOps to ensure that ignorance doesn't bypass your SaaS integration security safeguards.
Contact us or schedule a demo if you want to see how Prismatic's embedded integration platform (embedded iPaaS) can help mitigate security risks for your B2B SaaS integrations.