SBN

CISO Resource: A Checklist for SaaS Security Risk Management

When it comes to SaaS security, the focus up to now has mostly been on the risk of the SaaS vendor.  Historically, this make sense because when SaaS services first started, companies were concerned about where the data was being stored and worried about how secure the vendor was.  As a response, certifications such as SOC2 (created 2010) and ISO 27001 (published 2005 and updated in 2013) were established to help companies objectively compare SaaS vendor practices and compliance to industry best practices.   

SaaS has change significantly in the last 10 years.  SaaS usage is prolific in every company, and it is often acquired by individual employees and not always purchased centrally by IT.  SaaS risk goes far beyond just the vendor’s risk, and it is now driven by enterprise specific factors that most companies still do not factor into their risk calculations because risk is still assessed as if vendor risk was the most important factor.  The result is that most companies manage SaaS using an outdated framework and have huge blind spots.  SaaS security operations has also changed, and you can read our SaaS security best practices blog to learn more about how companies need to change their approach to SaaS security.  

The following checklist identifies the key risk factors thatCISOs should understand to manage their SaaS risk effectively—beyond the standard industry certifications.  The checklist was developed by Grip Security in collaboration with hundreds of CISOs who provide input for the development of our flagship SaaS Security Control Plane solution.

SaaS Risk Management Checklist

Discover how many SaaS applications are being used?

The foundation for any SaaS security program requires a complete inventory of all SaaS applications being used.  Many companies use single sign on (SSO) or identity providers (IdP), and this is a good start.  However, most do not have a good inventory of SaaS being used where the employee created an account using local application credentials. CASBs do provide another layer of data, however, they are unable to discern whether the employee has created an account or is just visiting the site.  This SaaS inventory should also cover accounts created by former employees that are still active.  This is far more common than most people think.  

Identify data used in the SaaS application.

Data governance is a critical aspect of a security program and SaaS makes it particularly difficult. The best source to identify the type of data that will be used are the users themselves.  However, gathering this information from every user for every SaaS application they sign up for is tedious and time consuming.  Automation can make this a part of the SaaS onboarding process and gathering of this information is critical to any robust SaaS security program.

Monitor number of employees using a SaaS application

The ease of using SaaS has caused a sharp rise in the number of applications used in a company.  By some estimates, there are more than 15,000 SaaS companies in North America, and the average company uses almost 200 different SaaS applications.  Applications used by one employee is likely to pose less risk than one that is used by multiple employees. Understanding the number of employees using a SaaS application helps a company assess their risk level more accurately and prioritize any compliance actions.   

SaaS application adoption

The reality is that the number of users for a SaaS application will change over time, and an application that is experiencing a sharp rise in users deserves attention to ensure that users are complying with the company’s security policies.  The users may be in the same department or completely different offices.  The density of users within a function is also a factor in the risk the application poses.  For example, if 10 people in finance are using an application and sharing data, this is a very high level of risk.  But if 10 people in 10 different departments are using the application with little or no collaboration, then this poses less risk.  The key is to monitor the growth in adoption so that risk can be assessed accurately.  

Authentication method used for a SaaS application

When creating a SaaS account, users often have the options to authenticate themselves using an IdP or local credentials.  Though the company policy may be that users must us the official IdP, many users will use their email and reuse one of their passwords.  Knowing the authentication method used allows security teams to reach out and ask the user to use an IdP and comply with the company policy.  Existing solutions, including CASBs, have noway to gather this information.  This can be done by the Grip SaaS Security Control Plane solution.   

Number of SaaS applications or accounts no longer used

In SaaS security, there is a lot of focus on the SaaS applications being used, and what does not get as much attention is the number of SaaS applications or accounts no longer used.  These can be the result of employee turnover, where the off–boarding process did not cover unsanctioned SaaS applications where the employee did not use an IdP.  Or it could just be that the employee changes applications, for example moved from Trello to Monday.com.  Dormant SaaS accounts are a common blind spot and existing solutions like CASBs are unable to discover or help secure them.  

Change in SaaS application risk over time

SaaS risk is not static, and it changes over time.  Users may start with a freemium version with limited capabilities and then upgrade to a version with more advanced capabilities. As mentioned previously, a single user may start to use an application and then start inviting colleagues to also start using the application.  With the thousands of potential applications, a best-in-class SaaS security risk management program monitors the change in risk over time and helps security teams prioritize their resources and efforts. 

Grip SaaS Security Control Plane

Modern SaaS security has distinct and different requirements that are not fully met with traditional identity, network, or endpoint-based solutions. Those solutions assume that the company controls the authentication, network access, or endpoint device being used.  With SaaS, the user could be using an unsanctioned application on a personal device while working remotely.  The Grip SaaS Security ControlPlane solution helps companies modernize their security architectures to address the specific challenges of SaaS. 

With automation at its core, the SaaS security control plane coordinates and automates security processes and allows security teams to scale, reduce workload, and enforce risk management policies across disparate systems.  Grip provides an end-to-end platform that identifies incidents, provides the remediation options, and automates the implementation—from alert to security outcome.

The Grip solution does not require an endpoint client or require proxy or CASB integration.  Installation is simple and only takes ten minutes to complete.  Learn more on how Grip can help with your SaaS security with a Free SaaS security risk assessment or you can read our datasheet.  

*** This is a Security Bloggers Network syndicated blog from Grip Security Blog authored by Grip Security Blog. Read the original post at: https://www.grip.security/blog/saas-security-risk-management-checklist-for-cisos