Originally published by AppOmni CEO Brendan O’Connor in SC Media, March 24, 2021.
Enterprises are investing in SaaS at a record high with Gartner estimating that 95 percent of new enterprise applications purchases are cloud-based. At the same time, SaaS products are rapidly evolving to play an ever larger role in the enterprise. What were relatively simple applications just a few years ago have quickly morphed into complex platforms – some might even say a new breed of business operating system.
SaaS environments now house massive amounts of business-critical data and accommodate a wide variety of users, including internal employees, contractors, brokers, partners, customers, IoT devices, and a host of API integrations and connected third-party apps.
But while enterprises have expanded the scope and footprint of their SaaS environments, most haven’t updated their security tools and processes to appropriately manage the increased level of complexity and highly dynamic nature of SaaS.
Security teams don’t always have knowledge of – or visibility into – which SaaS platforms their organization has in place and – perhaps more important – who (or what) has access to sensitive data. These new data access points that are essential for the day-to-day operations of a modern enterprise are now a major source of the data breaches we’re seeing in the news every day.
Unfortunately, these scenarios illustrate how generally accepted security standards and processes are lacking. Even the most proactive enterprise CISO doesn’t have clear guidance on how to effectively move forward. Today’s reality: SaaS platform adoption has increased rapidly at a time when security practices have lagged, creating a powder keg of SaaS vulnerabilities.
What should enterprise CISOs do? Here are four steps enterprises can take to improve their SaaS security processes:
Embrace the SaaS shared responsibility model. Many people still mistakenly believe all SaaS security measures are the responsibility of the SaaS vendor. But like cloud services and nearly all other types of technology, SaaS has a shared responsibility model between the vendor and the client. SaaS vendors like Salesforce have the responsibility to offer secure products and services. They generally do this well, as they invest heavily in security and employ some of the best teams in the world. But the responsibility of configuring, managing, and actually using the product ultimately lies with the client.Ideal configuration doesn’t just happen out of the box. When SaaS clients don’t actively manage this aspect of the product, a major security gap gets created. Think of a car manufacturer’s obligation to a driver. A manufacturer can produce a car that’s among the safest on the market, but even the safest cars are still dangerous in the hands of irresponsible drivers. The same holds true for SaaS platforms.
Define ownership within the enterprise. Unlike many other parts of the techstack, SaaS applications are frequently purchased and managed by individual business units – often without security teams ever having a chance to login or evaluate them.For years, SaaS has essentially flown under the radar. Today, many organizations don’t have a clear ownership precedent among the various technical and security teams when it comes to SaaS security – it’s simply something that hasn’t yet been addressed and therefore doesn’t have an official owner. I’ve also seen IT and AppSec teams play a game of “not it” when it comes to who owns SaaS.But if a SaaS application houses sensitive, and/or business critical data, AppSec teams need to step up to secure that application and the related data access. Security teams rarely have extra capacity for additional scope. But by embracing new tools that automate traditionally manual tasks, like configuration audits, teams can potentially become much more efficient, giving them the ability to cover additional platforms.
Recognize the limited scope of existing tools and processes. Even the most proactive teams have a hard time understanding how to effectively secure SaaS. The two most common recommendations are Cloud Access Security Brokers (CASBs) and penetration tests, or pentests. But each of these have major limitations.As their name implies, CASBs were designed to broker access to the cloud. While they can inspect cloud traffic that flows through the proxy-access gateway, they don’t have visibility into traffic that bypasses the proxy and connects to the cloud provider directly. They don’t monitor or manage the many data access points outside the network. These are used by external users, contractors, partners, third-party applications, and IoT devices. Access may get intentionally granted to these users or granted accidentally through misconfiguration or user error.Pentests are simulated attacks designed to gauge the security of a system. While they have benefits, they also have several drawbacks. They are typically conducted manually, which means they’re expensive, time-consuming, and can return inconsistent results depending on the quality of the team or firm performing the assessment. Most notably, they only measure the security of a system at a single point in time. Since SaaS systems are constantly changing because of new users, configuration changes, and vendor updates, pentests are often obsolete just weeks or even days after completion.To create a comprehensive SaaS security process, companies should use tools that cover all data access points, not just access through the company network, and continuously monitor users, data access and configurations.
Take a proactive approach. Many organizations don’t even think about securing their SaaS environments until there’s a breach or major business event such as an acquisition or IPO. Invest in SaaS security during the implementation of important SaaS platforms. Make this a standard part of the software development lifecycle. Ideally, security teams should make SaaS configurations and security controls well-defined and continuously monitored on the first day of use. But if the company’s SaaS applications are already up and running, then now’s the best time to adequately secure them.
Over time, standard processes and guidelines will inevitably catch up to ensure that SaaS applications are secure from end to end. But until that happens, I worry that we’ll witness many more breaches since so much sensitive data sits unsecured in the cloud. CISOs and security teams need to follow the lead of their organizations and invest in securing SaaS.