Software as a Service has become the de-facto standard for application delivery across the enterprise. Every year, more and more desktop applications are moving to the cloud, and new native SaaS applications emerge on the market. In this model, the application code, configuration, security access control, and database now exist completely within the SaaS provider’s environment. The benefits of SaaS are many. Reduced time to value for users, lower up-front costs, ease of delivery and scalability, and continuous upgrades and new functionality. However, SaaS also presents new challenges in the realms of cybersecurity, data governance, and compliance.
Shared Responsibility in the Cloud
By now most security organizations have heard of the Shared Responsibility Model in Cloud Computing. It delineates which responsibilities fall upon the cloud provider, and which remain with the customer. The Shared Responsibility Model can be divided into 3 categories: IaaS, Paas, and SaaS.
Of these 3 categories Software as a Service (SaaS) is the most widely used, and the least understood. The Global SaaS Market size is expected to reach $185.8 billion by 2024, and rising at a compound annual growth rate of 21.4%.
Most security controls are deployed in two logical places: on the corporate network, or host operating systems. When it comes to SaaS, this approach doesn’t quite fit. The cloud provider owns both the network and the underlying operating systems that power their applications. They handle firewall and network monitoring, OS hardening, and patch management on behalf of their customers. When it comes to application security, SaaS companies are often very good at preventing common flaws such as SQL Injection and Cross Site Scripting. With all those things covered, what’s left for security teams to do?
Take another look at the Shared Responsibility Model. Customers maintain responsibility for configuring the application and its security controls, identity and access management, and data governance / compliance.
SaaS is Complex
There is a trend across enterprise IT toward slimmer endpoint operating systems. Tasks that once required bulky workstations on the desktop have moved to smartphones, tablets, Chromebooks, and IoT devices. At the same time, more and more application and business logic is moving into the cloud. Customers can now run almost any conceivable business process within a SaaS application. Software as a Service applications are flexible, powerful, and extremely customizable. They are also complex and this leaves companies at major risk of data breaches and security exposure. Not because the Cloud provider is insecure, but because the customer is unintentionally leaking their data through user error.