Is SaaS a Threat or a Boon to Cybersecurity?
The IT threat landscape continues to grow by the day, and the latest vehicle for an attack is SaaS—the web-based applications that many organizations have become dependent on for efficiency and productivity, a dependency that has only grown over the past two years as more employees work remotely. In addition, SaaS has leveled the playing field in IT—with users installing the apps they prefer to work with without the approval of system managers or security teams. While the democratization of SaaS is largely welcome—employees are likely to be more productive and more satisfied with their jobs if they work the way that works best for them—this openness can turn into a security risk. SaaS platforms, which are not under the control of enterprise security teams, can be conduits for bad actors to compromise systems and networks; the chaotic SaaS ecosystem is attractive to attackers who exploit the often unmonitored connections between SaaS platforms and seemingly legitimate business interactions. In fact, the SaaS’ vulnerability has become so acute that consulting firm Gartner recently established SaaS security posture management as a specific category to assess security and seek out gaps specifically in the SaaS space. SaaS security is high up on Gartner’s Hype Cycle, indicating how concerned CISOs are about the issue.
What CISOs Can Do to Improve SaaS Security
Clearly, CISOs need to embrace an innovative mindset and explore tools that can help address the dilemma of balancing productivity with security. Many experts recommend allowing access to specifically whitelisted and approved services, along with setting narrow parameters for how SaaS solutions can be used.
That would increase security significantly, but it would also likely damage an organization’s business, limiting the ability to connect with services and companies that could make them more productive, efficient and profitable—not to mention significantly frustrate employees who gravitate to SaaS to get their work done, and would likely find ways to continue doing so, defying the whitelist and denying security teams the ability to monitor those connections. So it’s clear that other approaches are needed.
CISOs are torn between ensuring security and enabling productivity, with the core issue a lack of transparency and control, according to a McKinsey report that lays out a plethora of security challenges as the result of SaaS growth. From a lack of control over authentication to the better incident response by SaaS providers to difficulties in integrating SaaS with overall security policy to a lack of transparency in SaaS T&C—among others—CISOs have good reason to rue the increasing popularity of SaaS.
Because the service is hosted on a remote server by a remote organization, CISOs have no insight into how good the platform’s security really is. CISOs, of course, vet platforms before approving them for employee use, but the security situation, terms of service or interconnectivity vulnerabilities (such as when a platform allows a poorly-secured third-party application to use its resources, thus opening itself up to security problems)—could all change at any time, without organizations even being aware of it.
Among the specific security issues CISOs are worried about, according to a UK government cybersecurity study, are misconfiguration of SaaS access that hackers could take advantage of, difficulties in integrating SaaS platforms in their security efforts and difficulties in keeping up with SaaS platform changes, among others. Overall, 94% of companies surveyed were “moderately to extremely concerned” about SaaS and cloud usage overall, while 69% were “not confident at all” about their ability to defend their firms from those threats. And as new services are introduced, more employees use more SaaS more often—greatly expanding the opportunities for bad actors. Based on all this, no one could blame a CISO for eschewing SaaS as much as possible.
But solutions are emerging. Artificial intelligence—machine learning, neural networks and other advanced data analytics solutions—could help. While they can’t control the threats coming from SaaS platforms, they could help control the impact and reduce the blast radius of those threats.
For instance, if a malware payload makes its way onto an organization’s servers where sensitive data is stored, the automated system will issue an alert, enabling security teams to quickly mitigate the damage. Along with advanced localized network security, CISOs should set policies for employees using SaaS, requiring that they frequently change authentication information and API data—and implement additional security, such as 2FA—for all work-related online accounts on all platforms. Advanced data systems can help here, as well, by automatically informing employees when keys need to be rotated; automated rotation tools can also be implemented, enabling security teams to use their time more efficiently.
Use Discovery Tools
In addition, security teams need to keep abreast of changes in the organization’s human resources systems, shutting down SaaS accounts when employees leave, move to different departments or no longer use SaaS platforms in the context of their jobs. Teams can also use discovery tools to map all SaaS services, enabling them to discover vulnerabilities that could be compromised, as well as gain full visibility of all SaaS services used in the organization. The first step to developing a comprehensive SaaS security is answering the question “What do I have?” Only then can CISOs take the appropriate actions.
SaaS can make work easier for everyone; it’s easy, convenient and low-maintenance, with all updates and feature development and maintenance the responsibility of the platform provider. But when it comes to security, nobody is perfect. All it takes is one breach to ruin an organization. With the right systems and policies, CISOs can ensure that those breaches don’t come via SaaS platforms.
