When you think about making your service reliable, what standards and benchmarks are most important? The availability of services? Consistently fast responses? Accurate data? Prioritizing critical and common use cases? These are all important and deserve some focus, but today we’ll put the spotlight on an often overlooked pillar: security.
Cybersecurity incidents can be the most devastating types of incident for your organization. They range from accidental leaks of sensitive data to full breaches of your system by a malicious actor. Even the mildest security incidents can have catastrophic ramifications:
- Violation of user agreements, leading to refunds, fines, or even lawsuits
- Extremely bad press – security incidents often make the news more than other types
- Loss of user trust, leading to churn, negative word of mouth, and slower user growth
- Major delay of planned work as preventing a recurring breach becomes priority #1
- Costs, time, and effort associated with re-certifying and clearing audits to reestablish security standards
The SEC recently published new rules mandating that registrants report on their security incidents and proactively publish their plans and processes to address and reduce security concerns. The SEC’s intent in requiring this is clear: they believe investors care about an organization’s security capabilities. They expect investors to try to find companies that are adept in security and avoid those that don’t. They’re right to do so.
Let’s take a look at some security features and why they matter.
The first thing we’ll talk about isn’t a feature per se, but a collection of features that are required to meet various security standards, such as SOC 2, ISO 27002, or HITRUST CSF. These are sets of standards for security features and practices. Once your team adopts all of these features, you can be audited and verified by accredited 3rd party organizations. After clearing the audit, you’ll be able to display to your customers and prospects that you meet the standard.
Knowing where to begin focusing your security investments can be tough. Trying to meet one of these standards is a great way to start. It will reveal which areas are most lacking, giving you a prioritized to do list. You can also feel confident that these standards are fairly comprehensive. It will cover small things that you may otherwise overlook, like policies around sharing Google Docs or 2-factor authentication.
Not only does compliance provide a strong foundation for your security practice, it inspires confidence in prospects and customers that security is a priority. It allows you to convey that you’re investing time and effort to be secure without your audience needing to know any details about security features.
Role-based access controls
Now that you’ve built a secure foundation through compliance, let’s highlight some more specific features and their value. Role-based access controls, or RBAC, is a way of standardizing and simplifying how different users and engineers access the system.
A standard best practice in security is limiting access to any given user or engineer to only what is absolutely necessary. This decreases the chances of error, improves data privacy, and mitigates the risk of compromised accounts.
RBAC aims to implement this practice in a consistent, simple manner. Rather than figure out the access needs of each individual, think about what is required for each job function or use case. Then build out roles that cover only those requirements. Once you have these established, managing access is as simple as assigning the correct roles to each individual.
Building an RBAC system is an investment that requires you to consider every use case in your system for engineers and users. However, you should think about this as an opportunity to carefully delineate what each role will need access to do. You may find cases where systems can be redesigned to achieve the same results with less access, making a more secure and reliable system. Once you’ve invested in RBAC, it’s easier to update permissions and onboard new users than dealing with individual access. Ultimately it is an investment that will save you time.
Multiple instance support
Another major feature you can invest in is the capability to deploy multiple unique and distinct instances of your service to each of your customers. In B2B contexts, this allows an organization that uses your service to use different instances, with different settings and workflows, for different teams. In B2C contexts, this allows users to have complete separation of one use case from another.
In either case, this flexibility allows for heightened security. It allows users performing tasks that involve especially sensitive data to use an instance of your service that’s entirely locked down outside of those tasks. Then, when doing less sensitive tasks, you can switch to a more expansive service that includes integrations.
Again, building this capability is an investment, but also an opportunity. Making your service as flexible and modular as possible, able to be deployed in many different configurations for different functions with variable levels of overlap, empowers you to enhance and evolve it more dynamically.
How Blameless guides the way
Blameless can help you on your path to trustworthy, confidence-building security. Our own security features are best in the market, making sure your integration doesn’t introduce additional risks. We also help you contain, control, and mitigate any security incidents that happen to occur. Check out a demo to learn more.