Manual Vs. SSPM: Streamlining SaaS Security Management
An interesting trend is unfolding in companies around the globe. They are investing in a growing number of SaaS apps to support day-to-day operations but then putting themselves in an extremely precarious situation by failing to invest an equal or larger amount into their security staff.
These are just two findings from this year’s 2022 SaaS Security Survey Report. The report, run by Cloud Security Alliance (CSA), focuses on CISOs—how they are managing the SaaS app attack surface that is growing faster than ever and the steps they are taking (or in many cases, not taking) to secure their organizations.
Manual is Slow and Inefficient
According to the research, SaaS app adoption is presenting significant challenges—with at least 43% of organizations experiencing a security incident stemming from a SaaS misconfiguration. If you include the 20% of respondents who were “unsure,” that figure could easily exceed 63%. To give this some added perspective, only 17% of organizations say that they are experiencing security incidents due to an IaaS misconfiguration.
The report also identifies challenges when it comes to the speed at which organizations are able to remediate. Without an automated solution such as SaaS security posture management (SSPM), security teams have to manually and continuously check every security configuration of every app, for every user and device accessing the app in order to secure their SaaS stack. If this is not enough, add to this the numerous SaaS apps that are connected to the core SaaS stack. According to data from the SaaS management company Productiv, the average app portfolio now comprises at least 254 apps, and most teams use 40-60 SaaS apps on average. Dealing with this volume without an automated solution in place is not a good alternative.
In the world of SaaS, apps must be checked on a regular basis. Yet, according to the research, 46% of the respondents using a manual method check their SaaS security monthly or less frequently. Another 5% stated that they don’t check at all. One driver behind these figures is that identifying SaaS misconfigurations takes time.
It doesn’t stop there–security teams need to remediate these misconfigurations and then conduct security checks on a regular basis to detect any new misconfigurations. The longer these checks take, the more exposed the business becomes to threats. As SaaS stacks continue to grow, and they will, the security team’s visibility into the configurations of each diminishes considerably.
As a result, when security check failures occur, teams first exhaust precious cycles educating themselves to understand why a check failed. Next, they must determine the right course of action to fix it, and that takes time—according to the research, when remediating manually, approximately one in four organizations took one week or longer to resolve a misconfiguration.
SSPM Brings Security at Scale
One option for businesses is SaaS security posture management (SSPM), which allows them to automatically conduct security checks on a regular basis and remediate misconfigurations on the spot. Businesses can bring-their-own-compliance or stick to the standard industry frameworks.
SSPM also brings much-needed speed—when misconfigurations are detected, most organizations resolve it within a single day or week. SSPM solutions also do more than evaluate and fix failed security checks caused by misconfigurations, they assess risk stemming from connected apps and compromised user devices.
If you head the security team, are a third-party/vendor risk manager, head of compliance, or any other function in the security team, you often do not want to interfere and break any existing operational workflow and will request the app owners to remediate the app settings. SSPM bridges this communication gap from the moment a ticket is created until the security drift is resolved and, as a result, you ensure the SaaS stack remains secure and also raise awareness by doing so.
The 2022 SaaS Security Survey Report shines a light on the differences between companies using SSPM and those that are trying to manually navigate and manage this new and growing environment on their own. What is clear is that to realize all the benefits of SaaS without any of the challenges, SSPM should be a part of the equation.
