Assessing The Maturity of Your SaaS Security Program

Originally published by Grip Security.

Written by Lior Yaari, CEO, Grip Security.

Buying something as a service has clear benefits over the traditional method of purchasing software that are undeniable: no setup, lower costs, faster ROI, scalability, fast upgrades and universal accessibility. Purchasing SaaS has become so easy that anybody with a credit card and email address is able to acquire a license and start using the most powerful software. This has created unique challenges for security teams and requires them to evaluate the maturity of their SaaS security using a framework that was developed for the unique challenges SaaS creates.

Several industry standards specify best practices to help companies secure their SaaS apps. A slew of startups are also coming to market with products designed to help with the SaaS security problem. What is missing, however, is an end-to-end framework that helps companies understand where they are in the SaaS security journey with a clear view of what they are trying to achieve. One key shortcoming in today’s security standards is that they are all mostly focused on securing and managing SaaS apps security teams know about or are used regularly. This starting point just does not apply to the reality of SaaS today, which is acquired by employees and never reported or used for a one-off task or project.

Based on the work Grip has done with hundreds of CISOs, we have defined four stages of maturity we have seen in SaaS security programs.

1. Discovery

Discovery is the first stage in SaaS security, and it provides the foundation for a robust SaaS security program. Microsoft estimates that 80% of employees use non-sanctioned apps, which is consistent with what we have seen when working with companies. There are different methods of SaaS discovery, ranging from self-reporting to network traffic analysis to log analysis, and most companies use a combination of methods.

The challenge most companies face in the discovery stage is the sheer volume of data that needs to be collected, analyzed and processed. Many of the discovery methods rely on log collection based on user actions, and turning raw logs into actionable security insights is not an easy task. Even the products that process the logs and create alerts face the challenge of identifying the right indicators of SaaS usage activity, resulting in a high volume of false positives. Though conceptually straightforward, this is a stage with which many companies struggle.

2. Prioritization

SaaS security programs that have successfully mastered the discovery stage quickly realize that the number of SaaS apps being used is much higher than they expected. A 2020 report from Blissfully found that the turnover of SaaS apps was higher than employee turnover. This means that security teams will continuously identify new apps and need to assess their risk to understand which policies apply. Companies in this stage are able to prioritize their risks and mitigate them.

Prioritization is critical to SaaS security programs because not all SaaS apps are equal when it comes to risk. Some just gather publicly available data, while others are used to analyze confidential or proprietary data. Prioritizing risk helps SaaS security programs understand which apps pose the highest risk so they can be secured appropriately. However, the challenge faced by companies in the prioritization stage is the volume of apps discovered and the time-consuming process of evaluating each app, which has the potential to overwhelm security teams.

3. Securing

Securing SaaS apps is the next stage, and most companies already do this to some extent. This stage is required to receive and maintain compliance to industry standards such as SOC2 and ISO 27001. The method could range from just blocking access to prohibiting the use of high-risk apps or integrating the apps to the single-sign-on (SSO) application that forces users to authenticate themselves and tracks usage.

Every company has a group of apps that are used widely. Examples include apps used in human resources or customer relationship management software. Securing these apps through methods like SSO makes sense. But the vast majority of SaaS apps are not used widely but by one department or even just a few people in a department. Securing these apps using SSO does not make sense because integration usually requires upgrading the user license and work on the backend. Companies often have done a great job securing the most widely used apps. Securing the hundreds of unmanaged SaaS with a small number of users is more difficult, and nearly every company struggles with this.

4. Command

The final stage of SaaS security maturity is command. Companies in this stage have established a sustainable, repeatable program that is continuous and supported by automation. Companies reaching this stage have the ability to know metrics in real time such as:

Total number of SaaS applications discovered

Number of employees using them

Sanctioned or unsanctioned status of SaaS apps

Authentication method used (e.g., SSO, identity provider, username/password)

Prioritization of risk level

Automated employee offboarding from all SaaS apps

When companies have command of their SaaS security, they have clear control of their SaaS security risks and have the ability to secure and manage their risk for all types of SaaS.

Journey Not a Destination

The four stages of SaaS security maturity are useful for companies trying to assess their programs and to highlight why securing SaaS apps is different from traditional security. SaaS lives beyond the enterprise perimeter and is accessible from anywhere from any device. Security involves controlling the endpoint, network connectivity or the user identity. Most of the SaaS used in a company is completely unmanaged, and the company does not control any of the typical enforcement mechanisms.

This provides unique challenges that the industry is starting to recognize. Given the continuous stream of new apps coming online constantly, taking an honest look at the maturity of the SaaS security program can help companies gain insights into risks they knew existed but perhaps did not fully understand.