Free vs Enterprise Plans: Consider It

Before you buy a third-party solution, be sure to give this a read to gain some contextual guidance around product security as you explore the different options and/or plans that are available.

Teams are always looking to innovate in their relentless pursuit of delivering on mission objectives as well as making the company operate more efficiently. For companies whose tech stack operates almost completely in the cloud, most of the solutions within the ecosystem are provided by a cloud service provider (CSP). The tools and technologies leveraged from CSPs enable the business to satisfy different types of requirements (i.e., business, product, security, etc) of all sizes.

Some solutions are more critical than others, and some process and/or store more sensitive data, while some others may not. Regardless, product security features should always be contemplated in the initial stages of exploring third-party solutions. Product security features are designed to mitigate the risk of unauthorized access to company or customer data as well centralized user management, which in turn may enable effective license management, reducing the overall cost to the business.

“Wait a minute, wouldn’t it be InfoSec’s role to perform security reviews of third parties?”

It most certainly is! However, that’s not quite what we’re talking about here. What IS being discussed is that product security features should be considered early during solutions exploration to ensure that they meet your company’s standard security requirements.

Product Security vs Information Security

David Wachtfogel, Principal Security Engineer of Strategic Regions at AWS, gives a pretty solid differentiation of how the two are defined in this article.

Product Security

Safeguarding an organization’s product from unauthorized access or modification to prevent harm to the organization or to the product’s users.

Information Security

Safeguarding an organization’s data from unauthorized access or modification to ensure its availability, confidentiality, and integrity.

Basic/Free Plans vs Enterprise Plans

Oftentimes, we may be tempted to use solutions that offer free or basic plans in the spirit of being “cost-effective.” Products with enterprise plans can be significantly more expensive but are well worth it for the additional features and benefits. Generally speaking, if you want to build world-class programs that are designed to be enterprise-grade solutions, then enterprise plans should be seriously considered, especially for those that may be part of your product’s service delivery, enterprise plans will likely be required.

Free/Basic plans are typically not recommended for a few reasons, some of which are shown below:

  1. Customer support quality will likely be very limited in comparison to professional and/or enterprise plans.

  2. User licenses will likely be limited.

  3. APIs and custom connectors will not be available.

  4. Product security features will be limited.

  5. Administrative activities such as setup and configuration may take more time due to nonexistent or limited support.

There are cases where free/basic plans are acceptable, such as pilots, demos, etc. For guidance on such cases, consult with your InfoSec partners to explore if they are right for you and your team.

Standard Product Security Requirements

No matter the product plan being considered, here are just a few of the hard and fast product security features to consider when exploring new technologies:

Single Sign-On (SSO) Integration

If the product integrates with your SSO mechanisms, this enables centralized user management. One of the biggest risks to any organization and the cause of the majority of data breaches is due to unauthorized access. For example, organizations that use Okta as their SSO provider, and by doing so, are able to seamlessly provision and de-provision access using automated workflows. If a particular system is not integrated with Okta, that means that all user management is manual which increases the risk of someone leaving and not being properly de-provisioned, allowing the terminated employee (someone who is no longer authorized to access corporate systems) to continue to access the system in question.

Role-Based Access Controls (RBAC)

RBAC is a method of restricting access within the system based on the roles of individual users within an organization. It enables permissions to be granted on the principle of least privilege in a standardized manner. The objective of these permissions and access controls is to protect the confidentiality of data. RBAC is used in part to satisfy security and privacy requirements while also mitigating the risk of unauthorized access to data that may not be necessary for fulfilling job duties.

Multi-factor Authentication (MFA)

Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity when logging in to a system. Organizations use MFA solutions to centrally manage user identity and credentials to enable them to log into one place (i.e., an access dashboard) via SSO and then access corporate resources and systems. As a note, while a solution may be compatible with MFA, it is better to have SSO integration with your provider to ensure that credentials are centrally managed.

Data Residency Options

It’s important to consider where in-scope data that will be stored or processed by the solution will reside. For example, if a solution will be used for storing or processing customer data based in the European Economic Area (EEA), then the solution will need to be connected to an AWS EU region (if available), which may implicate that the in-scope data will need to be stored in the EEA as per customer contractual requirements and privacy regulations. It is important to consider this choice if you are expecting the solution to be deployed worldwide and the data in-scope is considered sensitive.

Previous
Previous

What is a Customer Trust Program?

Next
Next

SOC2 vs ISO 27001: What’s the Difference?