At 6sense, we are committed to the security and privacy of your data. The 6sense SaaS platform has many security and privacy features that can be used by 6sense Customer Administrators to harden your 6sense Org. Here, we’ve highlighted a few hardening best practices from 6sense’s own Security team.
6sense Platform Basic Security & Privacy Best Practices
Access Control
Recommendation 1: Configure Single Sign-On (SSO). Activating the SAML integration on the 6sense platform forces all users for your organization to use SAML SSO. They will not be able to use password-based logins after setting up SAML SSO. Learn more here.
Recommendation 2: For customers using non-SSO, define an internal password standard that incorporates 6sense Platform Password Requirements as the minimum, and ensure your employees are trained in password creation and handling best practices Learn more here.
Recommendation 2a: For customers using non-SSO, users should monitor their email for login notifications. 6sense sends users a notification when a login into their ABM account occurs from a new location. With this email notification, users can view notifications even when they are not actively using the ABM platform. The user should formally approve this new location, via the link provided in the email, for 6sense to add it to the safe-list of locations for the user.
Recommendation 3: Manage your users by assigning roles following the principle of least privilege (RBAC) and limiting the number of administrators. Once access is provisioned, periodically review and update user access to ensure appropriate assignment based on employment status and business need.
Recommendation 4: Familiarize yourself with the feature that enables you to provide Just-in-Time (JIT) access to 6sense employees, as and when needed, to your 6sense Organization for troubleshooting or maintenance. For details, please refer to the 6sense Team Access section in our article on User Management (RBAC).
System Notifications
Recommendation 4: Set system notifications for:
Expiring credentials, if not using SSO.
Daily API limits of your integration being reached.
When there are web visit data issues:
Manage Recipients for System Notifications: If there are people, besides the primary administrator (default), who should automatically receive all notification emails for your 6sense Org, add them to the list of recipients.
6sense system notifications are sent from [email protected]. Add this email address to your company’s approved list of email senders (sometimes called the safe list or allow list).
Monitor your weekly privacy notifications to comply with privacy opt-out requests.
API Tokens
Recommendation 5: Follow API best practices:
Give your API Token an appropriate name to help you track where it is being used. This can be the same as the integration for which the token is used.
Do not assign the same API Token to more than one integration, unless necessary.
Rotate your API tokens every 90 days (create a new token, apply, then deactivate the old token).
Migrate any “default_existing_token”.
Deactivate tokens that are not in use and delete tokens that you don’t plan to use anymore. Before deleting a token, if you need the token-related historical match rates and usage graph, save a copy.
The API Token settings (Score and Segments Settings) are secure by default (does not return detailed information), please adjust these settings as required to fetch information that is necessary for your use cases.
For Enrichment APIs as mentioned in our API docs, please ensure that the API token is never exposed on any public domain. These APIs are designed for server-to-server communication.
Recommendation 6: Create Domain Allowlist for Company Identification (CI) API
Create an allowlist of domains so as to restrict the usage of the CI API token(s) on those domains only. For more details, see How to Create an API Token.
WebTag
Recommendation 7: Review the domains covered by your webtags at minimum annually and remove any domains that are no longer valid.
Conclusion
With SaaS, security is always a shared responsibility. While 6sense builds with security and privacy by design, it is also up to you to implement security controls and best practices to further strengthen the security of your 6sense org. If you ever have a security concern, report it to 6sense immediately at [email protected]. To learn more about 6sense’s security and privacy practices, visit our trust site.