Why SaaS Security Is So Hard
It’s never quiet in the era of cybercrime — and a company’s SaaS security posture is fast becoming a more common vector for bad actors and infiltration.
The SaaS market growing at 30% per year, and Deloitte and others predicted that, post-COVID-19, the SaaS model will be even more widespread. It is safe to say that SaaS configuration weaknesses will be a major exploitation target. Consider the typical employee; untrained in security measures, their access and/or privileges increase the risk of sensitive data being stolen, exposed or compromised. SaaS security posture management (SSPM), as defined by Gartner, is therefore critical to the security of today’s enterprise.
I like to refer to this as the Big Misunderstanding. Many don’t realize that there are two sides to securing company SaaS apps. While SaaS providers build in a host of security features designed to protect company and user data, it is ultimately beyond their control. Just as in any other part of the network, the organization’s IT or security team are the ones responsible for protecting and managing the data, configurations, user roles and privileges, regardless of their location.
SaaS Security Challenges
For enterprise organizations, ensuring that all their SaaS apps are configured properly and have the correct user roles and privileges is not only a never-ending, time-consuming endeavor, but an impossible one.
Here is a quick rundown of the main issues security teams face that make SaaS security complex, laborious and just … hard.
Dynamic and Ever-Changing Environment
The SaaS environment is dynamic and continually evolving. As employees are added or removed and new apps onboarded, permissions and configurations must be reset, changed and updated. In addition, there are continuous compliance updates and security configurations needed to meet industry standards and align with best practices (NIST, MITRE, etc.), and security teams need to continuously ensure that all configurations are enforced company-wide, with no exceptions. Considering that a typical enterprise has, on average, 288 SaaS applications, this translates to hours of continuous work and effort that is just not sustainable.
Each App is a World Unto Itself
Each SaaS application has its own security configurations for compliance, dictating which files can be shared, whether MFA is required, whether recording is allowed in video conferencing and more. The security team has to learn each application’s specific set of rules and configurations and ensure they are compliant with their company’s policies. As they are not often the ones using the apps on a daily basis, they are rarely familiar with the settings, making it even harder to optimize the configuration.
Configuration Management Overload
The amount of apps, configurations, user roles and privileges an organization must manage and monitor grows with every onboarded app. If you break it down by the numbers, a typical enterprise has hundreds of SaaS apps. Each app has as many as hundreds of global settings; multiply this by an enterprise with thousands – or tens (or even hundreds) of thousands – of employees. This requires security teams to learn hundreds of app setups, monitor thousands of settings and tens of thousands of user roles and privileges — quite the impossible – and unsustainable – scenario.
No Clear Visibility or Direct Management
Most SaaS apps are purchased and implemented in the departments that use them the most; for example, an automation SaaS solution sits in marketing, and a CRM solution with sales. These SaaS apps hold critical data on the company’s clientele and business projects. Often, the SaaS users in these scenarios are not security-trained or vigilant in the continuous needs of configuration and posture. The security team ends up in the dark about the security protocols in place – and, more importantly, do not have eyes on the exposure or risk.
The Human Impact
Beyond the owner or administrator of the SaaS app are the employees that use it. Employees often have access or privileges that could leave a company exposed, whether on purpose or by accident. For example – and this has happened to most of us – an email is sent when a name autofills or is mistyped, which may cause a message to send to an old email address, to the wrong name, individual or group, or even to an external user, who can then gain access to sensitive content. Depending on the sensitivity of the data, this “accidental share” has now left the company exposed. Between accidental shares or changing a folder’s settings to “public” so that the data can be retrieved by anyone, it’s clear employees’ use of a SaaS app should be configured correctly as well as monitored.
Hackers Keep Coming
Hacking techniques continue to get more sophisticated, yet when it comes to infiltrating SaaS apps, it’s often simple. Bad actors are continuously looking for vulnerabilities to exploit to infiltrate a business. Some have even gone so far as to say that hackers are no longer hacking in, but logging in. The dynamic nature of the security environment, and the growing risks, place even more responsibility in the hands of security teams that are already buckling under existing pressures.
Preventing SaaS Security Posture Problems
Organizations vulnerable to SaaS security configuration weakness can now turn to solutions that automate their SaaS security posture.
As Gartner’s own Tom Croll asserts in 3 Steps to Gartner’s SaaS Security Framework (Dec 2020):
“Increasingly, business-critical data is being processed by applications that exist entirely outside the corporate network, making traditional controls ineffective. New controls are needed to address these new realities.
SSPM tools allow enhanced controls to further protect data stored in the most commonly used SaaS applications. Core capabilities include monitoring the configuration of native SaaS security settings, reporting non-compliance and auto-remediating violations to maintain alignment with multiple compliance frameworks.”
There are many solutions in cloud security, but SSPM solutions can assess a company’s SaaS security posture in a customized and automated manner that is tailored to the specifications of each application and aligns with company policy. And it’s not a one-time assessment; it is a continuous process that monitors and reinforces the company’s SaaS security.
The right SSPM solution can provide deep visibility and remediation for potential vulnerabilities in a company’s SaaS security posture, from misconfigurations and misappropriated privileges to suspicious SaaS usage. SSPMs are built to streamline and improve the security team’s efficiency, reducing their workload and stress while increasing protection for the company against any potential exposure or breach.
