Originally published by AppOmni CEO Brendan O’Connor in SC Media, March 24, 2021.
Enterprises are investing in SaaS at a record high with Gartner estimating that 95 percent of new enterprise applications purchases are cloud-based. At the same time, SaaS products are rapidly evolving to play an ever larger role in the enterprise. What were relatively simple applications just a few years ago have quickly morphed into complex platforms – some might even say a new breed of business operating system.
SaaS environments now house massive amounts of business-critical data and accommodate a wide variety of users, including internal employees, contractors, brokers, partners, customers, IoT devices, and a host of API integrations and connected third-party apps.
But while enterprises have expanded the scope and footprint of their SaaS environments, most haven’t updated their security tools and processes to appropriately manage the increased level of complexity and highly dynamic nature of SaaS.
Security teams don’t always have knowledge of – or visibility into – which SaaS platforms their organization has in place and – perhaps more important – who (or what) has access to sensitive data. These new data access points that are essential for the day-to-day operations of a modern enterprise are now a major source of the data breaches we’re seeing in the news every day.
Unfortunately, these scenarios illustrate how generally accepted security standards and processes are lacking. Even the most proactive enterprise CISO doesn’t have clear guidance on how to effectively move forward. Today’s reality: SaaS platform adoption has increased rapidly at a time when security practices have lagged, creating a powder keg of SaaS vulnerabilities.
What should enterprise CISOs do? Here are four steps enterprises can take to improve their SaaS security processes:
Ideal configuration doesn’t just happen out of the box. When SaaS clients don’t actively manage this aspect of the product, a major security gap gets created. Think of a car manufacturer’s obligation to a driver. A manufacturer can produce a car that’s among the safest on the market, but even the safest cars are still dangerous in the hands of irresponsible drivers. The same holds true for SaaS platforms.
For years, SaaS has essentially flown under the radar. Today, many organizations don’t have a clear ownership precedent among the various technical and security teams when it comes to SaaS security – it’s simply something that hasn’t yet been addressed and therefore doesn’t have an official owner. I’ve also seen IT and AppSec teams play a game of “not it” when it comes to who owns SaaS.
But if a SaaS application houses sensitive, and/or business critical data, AppSec teams need to step up to secure that application and the related data access. Security teams rarely have extra capacity for additional scope. But by embracing new tools that automate traditionally manual tasks, like configuration audits, teams can potentially become much more efficient, giving them the ability to cover additional platforms.
As their name implies, CASBs were designed to broker access to the cloud. While they can inspect cloud traffic that flows through the proxy-access gateway, they don’t have visibility into traffic that bypasses the proxy and connects to the cloud provider directly. They don’t monitor or manage the many data access points outside the network. These are used by external users, contractors, partners, third-party applications, and IoT devices. Access may get intentionally granted to these users or granted accidentally through misconfiguration or user error.
Pentests are simulated attacks designed to gauge the security of a system. While they have benefits, they also have several drawbacks. They are typically conducted manually, which means they’re expensive, time-consuming, and can return inconsistent results depending on the quality of the team or firm performing the assessment. Most notably, they only measure the security of a system at a single point in time. Since SaaS systems are constantly changing because of new users, configuration changes, and vendor updates, pentests are often obsolete just weeks or even days after completion.
To create a comprehensive SaaS security process, companies should use tools that cover all data access points, not just access through the company network, and continuously monitor users, data access and configurations.
Over time, standard processes and guidelines will inevitably catch up to ensure that SaaS applications are secure from end to end. But until that happens, I worry that we’ll witness many more breaches since so much sensitive data sits unsecured in the cloud. CISOs and security teams need to follow the lead of their organizations and invest in securing SaaS.