Continuing on my new years resolution to share what I’ve learned and put those learnings into practice, I thought I’d dig into the subject of security. One of the things that I learned was that security is very important for everyone, but particularly for customers who are moving away from hosting their own infrastructure and entrusting their assets to a cloud provider. The learning is clear — but putting it into practice is the next step.
As it happens, a large number of features that we’ve rolled out over the past six months were, in fact, security related. This includes:
- Adding a maximum number of log-in attempts before the system times out.
- Two-Factor Authentication.
- Whitelisting API Keys allowed to inject messages.
- Implementing OAuth2 for Webhooks.
- Adding an option for Single Sign On (SSO) on SparkPost Elite accounts.
- Adding Roles-based access controls, more specifically a Reporting-Only role.
And those are just the customer-facing ones. We were looking at our overall cloud email security practices, even before hiring Steven Murray, our CISO. And he’s making changes — features, internal functionality, processes — to make sure security continues to be a high priority. For example, we’ve instituted intrusion detection to make sure we’re keeping our systems locked down.
The things we recommend our customers do to improve cloud email security when using SparkPost:
- Use strong passwords!
- Make sure every user enables Two-Factor Authentication when accessing the SparkPost account. This is the single biggest deterrent from attempts to hack into your account and it’s easy to do.
- Assign roles to your users. If all they’re doing is looking at reports, then making them a Reporting-Only user.
- Make sure to change the password on any shared accounts on a regular basis.
- Set up your engagement tracking domains as https (Elite accounts).
Looking ahead, we will be adding support for more Single Sign On identity providers, rotation of DKIM keys, and continually looking at how we store and access data without impacting performance.
What are your most pressing security concerns?