Braze Hardening Guide
Customer engagement platform hardening for Braze including SAML SSO, permission sets, and API security
Overview
Braze is a leading customer engagement platform serving thousands of brands for mobile and web marketing automation. As a platform handling customer PII and engagement data, Braze security configurations directly impact data protection and marketing compliance.
Intended Audience
- Security engineers managing marketing platforms
- IT administrators configuring Braze
- Marketing operations managing campaigns
- GRC professionals assessing marketing security
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Braze security including SAML SSO, permission sets, API key management, and data protection.
Table of Contents
- Authentication & SSO
- Access Controls
- API Security
- Monitoring & Compliance
- Compliance Quick Reference
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO to centralize authentication for Braze users.
Prerequisites
- Braze admin access
- SAML 2.0 compatible IdP
- SSO feature enabled (enterprise plans)
ClickOps Implementation
Step 1: Access Security Settings
- Navigate to: Settings → Security Settings
- Find SAML SSO section
Step 2: Configure SAML
- Enable SAML SSO
- Enter IdP metadata URL or configure manually:
- Identity Provider URL
- SSO URL
- Certificate
- Configure attribute mapping
Step 3: Test and Enforce
- Test SSO authentication
- Configure SSO enforcement
- Document local admin fallback
Time to Complete: ~1-2 hours
1.2 Enforce Two-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require 2FA for all Braze users.
ClickOps Implementation
Step 1: Enable Company-Wide 2FA
- Navigate to: Settings → Security Settings
- Enable Require two-factor authentication
- Applies to all users on next login
Step 2: Configure 2FA Methods
- Braze supports authenticator apps
- Users configure in profile settings
- Generate backup codes
1.3 Configure IP Allowlisting
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 13.5 |
| NIST 800-53 | AC-17 |
Description
Restrict dashboard access to approved IP ranges.
ClickOps Implementation
Step 1: Configure IP Allowlist
- Navigate to: Settings → Security Settings
- Enable IP allowlisting
- Add approved IP ranges
Step 2: Test Access
- Verify access from allowed IPs
- Test blocking from non-allowed IPs
- Document allowed ranges
2. Access Controls
2.1 Configure Permission Sets
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement least privilege using Braze permission sets.
ClickOps Implementation
Step 1: Review Permission Sets
- Navigate to: Settings → Company Users → Permission Sets
- Review predefined sets:
- Admin
- Developer
- Marketer
- Analyst
- Understand permissions per set
Step 2: Create Custom Permission Sets
- Create sets for specific roles
- Define granular permissions
- Limit data access appropriately
Step 3: Assign Minimum Necessary Access
- Apply least-privilege principle
- Regular access reviews
- Document permission assignments
2.2 Configure Workspace Access
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Control access to workspaces and app groups.
ClickOps Implementation
Step 1: Review Workspace Structure
- Navigate to: Settings → Workspaces
- Review workspace organization
- Understand data separation
Step 2: Configure Workspace Access
- Assign users to appropriate workspaces
- Limit cross-workspace access
- Separate production and test data
2.3 Limit Admin Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Minimize and protect administrator accounts.
ClickOps Implementation
Step 1: Inventory Admin Users
- Navigate to: Settings → Company Users
- Review users with Admin permission set
- Document admin access
Step 2: Apply Restrictions
- Limit admin to 2-3 users
- Require 2FA for admins
- Monitor admin activity
3. API Security
3.1 Configure API Key Management
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Secure API keys and access tokens.
ClickOps Implementation
Step 1: Review API Keys
- Navigate to: Settings → APIs → API Keys
- Inventory all API keys
- Document key purposes
Step 2: Apply Least Privilege
- Create keys with minimum permissions
- Use separate keys per integration
- Rotate keys regularly
Step 3: Secure Key Storage
- Store keys in secure vault
- Never commit to repositories
- Audit key usage
3.2 Configure API IP Allowlisting
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 13.5 |
| NIST 800-53 | AC-17 |
Description
Restrict API access to approved IP ranges.
ClickOps Implementation
Step 1: Configure IP Restrictions
- Navigate to: Settings → APIs
- Configure IP allowlist for API keys
- Restrict to application servers
Step 2: Monitor API Access
- Review API access logs
- Alert on unauthorized attempts
- Regular access reviews
4. Monitoring & Compliance
4.1 Configure Activity Logs
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | AU-2 |
Description
Enable and monitor activity logs.
ClickOps Implementation
Step 1: Access Activity Logs
- Navigate to: Settings → Activity Log
- Review logged events
- Configure retention
Step 2: Monitor Key Events
- User authentication
- Campaign changes
- API key creation
- Permission changes
4.2 Configure Data Retention
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.1 |
| NIST 800-53 | SI-12 |
Description
Configure data retention policies.
ClickOps Implementation
Step 1: Review Retention Settings
- Configure user data retention
- Configure event data retention
- Align with compliance requirements
Step 2: Configure Deletion
- Enable user deletion workflows
- Configure GDPR/CCPA compliance
- Document retention policies
5. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Braze Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/2FA | 1.1 |
| CC6.2 | Permission sets | 2.1 |
| CC6.6 | IP allowlisting | 1.3 |
| CC7.2 | Activity logs | 4.1 |
NIST 800-53 Rev 5 Mapping
| Control | Braze Control | Guide Section |
|---|---|---|
| IA-2 | SSO | 1.1 |
| IA-2(1) | 2FA | 1.2 |
| AC-6 | Permission sets | 2.1 |
| SC-12 | API key security | 3.1 |
| AU-2 | Activity logs | 4.1 |
Appendix A: References
Official Braze Documentation:
- Braze Trust & Security
- Braze User Guide
- Security Settings
- Security Qualifications
- SAML SSO Setup
- Permission Sets
API Documentation:
Compliance Frameworks:
- SOC 2 Type II (Security & Availability), ISO 27001 (renewed August 2025, expires December 2027), HIPAA — via Security Qualifications
Security Incidents:
- 2024 — Major platform outage (April 29). Braze US clusters experienced a near-total outage lasting approximately 11 hours caused by a malfunctioning network switch triggering a spanning tree switching loop. This was described as the first incident of this magnitude in Braze’s 13-year history. Dashboard access, data processing, and message sends were all impacted. (Braze Post-Incident Report)
- No major public data breaches identified.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO, permissions, and API security | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide