7 Essential SaaS Security Best Practices

Originally published by Suridata.

No More SaaS Security Tradeoffs

If your organization is like most, you are probably using upwards of a hundred Software-as-a-Service (SaaS) applications. The reasons for this are many, including convenience, instant access to enterprise software, and flexibility. On the downside, SaaS security has proven to be a challenge, even if you have robust controls and cybersecurity technologies on-premises and in the cloud. There’s a growing gap between companies’ SaaS apps and their security solutions. It’s difficult to keep up with SaaS expansion, leading to poor visibility and risk exposure.

Until recently, companies have been able live with the SaaS tradeoff: You get the benefits of SaaS, but security can be a troubling afterthought. It does not have to be this way, and indeed things cannot go on like this. Security managers are increasingly interested in finding solutions. The Cloud Security Alliance (CSA) found, for example, that SaaS security has become a top priority in 80% of the organizations they surveyed. As this article discusses, it is possible to implement effective SaaS security, if you follow certain best practices.

What is SaaS security?

SaaS security comprises a collection of controls, policies, and practices that serve to protect Software-as-a-Service applications from malicious actors. It mostly has to do with defending sensitive corporate data stored on SaaS apps. SaaS security is necessary because each SaaS app typically has its own security controls, many of which are up to end users to configure. This is not optimal from a security perspective, especially because SaaS apps can typically be accessed from devices anywhere in the world.

SaaS security in 2024: The top challenges

SaaS security today presents a host of challenges for security managers. One problem is that even if a company has robust cybersecurity controls and countermeasures, they may not extend to SaaS. Some of the most pressing issues include:

• Shadow SaaS—Sometimes, an employee will set up a SaaS account using a credit card and proceed to put corporate data onto that SaaS app without notifying the IT department or security team. This is known as “shadow SaaS.” It’s common, and highly problematic from a security perspective.
• Insecure SaaS configurations—Each SaaS app can be configured separately, and this is only natural, given that each app is hosted and managed by a separate company. In many cases, the individual end user can choose how to configure their own security settings, leading to situations where files are exposed to the general public, for example. Other misconfiguration risks include leaving on default settings, permitting easy-to-guess passwords, not requiring Multi-Factor Authentication (MFA), and more.
• Lack of visibility into third-party risks—SaaS apps are often integrated with third-party systems, including other SaaS apps. These integrations, typically done with plugins, are a source of SaaS risk. A SaaS app may treat a plugin like a user, except it may not require any authentication after the initial interaction, so a malicious actor can penetrate a SaaS app using an insecure plugin.
• Insider threats—Employees can pose a threat to your SaaS security, as they can to other digital assets. The difference is that with SaaS, it can be a lot harder to track who is doing what, and insiders can exfiltrate data, for example, before anyone knows what they did. In some cases, the threat is accidental, such as when an employee moves data to a SaaS app without realizing that it’s against policy to do so.
• Potential compliance violations, e.g., consumer privacy—If security and compliance teams do not have visibility into corporate data stored on SaaS apps, the organization is at risk for violating regulations and industry frameworks that protect consumer privacy. Alternatively, SaaS configurations and IAM issues can lead to situations where a company is out of compliance with regulations that require restricted access to financial systems.
• Deficient data security—SaaS apps store data, and there are frequently situations where security managers don’t know what data is where, and whether it’s subject to security policies like encryption or access controls.
• Poor access control management (IAM)—Without centralized identity and access management (IAM), SaaS users log into each app’s separate access control system independently. You can quickly have a situation where a hundred SaaS apps comprise a hundred different access management systems. It becomes impossible to know who has access to what. Former employees can still log into and get their hands on confidential data, to name one of many risks inherent in this scenario.

7 Essential SaaS Security Best Practices

What does it take to realize effective SaaS security? Although the field is still relatively new, a set of best practices is emerging that can guide you in defending your SaaS environment from increasingly serious threats. Here are seven essential SaaS security best practices to consider:

1. Implement Centralized User Authentication and Access Controls

Your SaaS security posture will improve dramatically if you can control who has access to each SaaS app and what privileges they have once they have logged into the app. To realize this objective, you can integrate your IAM solution to each SaaS app. That way, you can centrally define access rights and privileges. For example, you could integrate Microsoft Active Directory with Salesforce.com, Workday, HubSpot, and so forth. Alternatively, you could deploy a purpose-built solution.

2. Scan (and train) for Shadow SaaS

Shadow SaaS creates risk exposure across multiple dimensions. Employees may place sensitive data on SaaS apps without proper controls. They may not set up adequate security protections, like MFA and data encryption. Worst of all, no one in IT or security knows about it. Two practices are recommended to reduce the potential for Shadow SaaS to occur, and if it does occur, to rein it in. Training can be helpful in this context. While training is not bulletproof, it is definitely wise to make employees aware that setting up their own SaaS accounts is a bad practice. Continuously scanning for Shadow SaaS is an even better idea. Using specialized tools like the Suridata SaaS security platform, you can monitor endpoints for activities that reveal the presence of Shadow SaaS accounts. The platform can then alert the right people and recommend remediations.

3. Include SaaS in Your Security Incident Response and Recovery Plans

It’s essential to prepare for a security incident that affects your SaaS apps. You might suffer a data breach through SaaS, or have to cope with a SaaS outage. Something is bound to happen. Indeed, Suridata’s research revealed that 88% of organizations have had a SaaS security incident of some kind. The security operations team should prepare to respond to an incident and recover from it. Some of this will involve preparing in advance, such as by arranging for data backup within the SaaS app itself. That way, if there’s a breach, it can be quickly remediated. The Security Operations Center (SOC) would do well to put together an incident response “playbook” for a SaaS security incident. The playbook, which could be entered into a Security Orchestration Automation and Response (SOAR) solution, might include steps like isolating affected endpoints, contacting the SaaS provider to determine the cause of the incident and track the vendor’s recovery efforts, notifying internal stakeholders like the legal department, and so forth.

4. Conduct SaaS Vendor Security Assessments

Subscribing to a SaaS app is more than just a technology decision. It’s a business relationship, much more so than the ones that come from licensing software. You’re working minute by minute with another company, often with your most critical information assets at stake. You want to be working with the right SaaS vendors. For this reason, it’s a best practice to conduct a SaaS vendor security assessment as part of the procurement process. For example, you could ask the vendor for specifics on how they secure their data centers and infrastructure, or if they have passed a SOC2 audit or other certifications. You can ask about their encryption and MFA options, and more.

5. Vet Your Third-Party SaaS Integration Plugins

Third-party integration plugins are a potential source of vulnerability, so it’s wise to vet these plugins for security. You will want to look at factors like the level of support for the plugin. Sometimes, a software company will make a SaaS plugin, but then abandon it. No one is keeping it up to date. That’s very bad for security. Even just looking at a plugin’s age will help. If a new version hasn’t come out in three years, yank it.

6. Continuously Monitor Your Entire SaaS Environment

One of the biggest problems in SaaS security is a lack of visibility into what’s happening across multiple SaaS apps. A best practice is to implement continuous monitoring of the entire SaaS environment. This might mean monitoring user sessions to detect suspicious activities or continuously checking to make sure that third-party integration plugins are secure, or that security configurations are not creating risk exposure. This capability requires the use of an SSPM platform or equivalent.

7. Map SaaS to Your Compliance Programs

SaaS needs to be part of any compliance process that involves financial transactions, health information, and privacy. The people responsible for compliance should know where SaaS apps store data that’s relevant to regulations and industry compliance frameworks like PCI-DSS. SaaS system owners likewise need to understand where their apps intersect with compliance. For example, a SaaS-based Enterprise Resource Planning (ERP) application may be subject to rules regarding financial controls, e.g., “segregation of duties” that prevents the same user from issuing a purchase order and approving a payment to that vendor. In that case, the SaaS owner has to show that user permissions on the app are adhering to such controls.

Getting SaaS Secure

SaaS security should be a priority. The risks of a data breach or comparably bad incident are too high for it to be neglected. Best practices can help you get started on the right track. These include centralizing user authentication and access controls, continuously monitoring the entire SaaS environment, and protecting your SaaS data through encryption, among others. By adhering to such best practices, it becomes possible to improve your overall SaaS security posture.