Launching a Corporate SaaS Security Program

Originally published by Obsidian Security.

Written by Kelsey Brazill.

As organizations increasingly rely on SaaS applications to conduct business, the importance of a thorough SaaS security program cannot be overstated for protecting the business and its sensitive data. Over 30% of business-critical data now resides in SaaS, and this is only expected to increase with the adoption of SaaS rapidly accelerating. It was this exact objective that Pure Storage needed help solving: securing data in their critical SaaS applications.

I sat down with the Pure Storage SaaS Security Lead, Hammad Yacoob, to learn more about what drove their initiative, how they’ve achieved success, and the lessons they’ve learned in the process.

The Urgency of Addressing SaaS Security

Like most businesses today, Pure Storage has hundreds of individual SaaS applications in its environment for a variety of specific business productivity functions. For Hammad, the need to prioritize securing these applications is obvious; “If it hasn’t already migrated to SaaS, it will be migrating to SaaS and sensitive data is migrating along with it.”

Pure Storage wanted its SaaS Security program to ensure a few critical outcomes:

• The ability to ensure accountability of application owners across the organization.
• Customer data is continuously protected in accordance with internal and regulatory requirements.
• An accessible, actionable, and scalable way to prevent and detect SaaS threats.

Securing sensitive corporate data and ensuring compliance with industry regulations are critical considerations for any company adopting SaaS.

Core Components of an Impactful Program

• Establish a security standard for application owners: Developing and communicating clear security policies and guidelines is essential for creating a secure SaaS environment. These policies should address aspects such as SSO or MFA requirements, access controls, least privilege, and acceptable use of SaaS applications. Employees must be educated on these policies and reminded of their responsibilities regarding SaaS security. Establishing and regularly auditing clear guidelines help set expectations and foster a culture of security awareness throughout the organization.
• Comply with regulatory requirements: All organizations need to comply with some combination of internal standards, regulatory frameworks, and data protection laws. Ensuring that your SaaS security program aligns with these requirements can get complicated quickly, as regulations may differ across jurisdictions. Organizations must navigate these complexities and incorporate necessary controls to measure, maintain, and prove compliance.
• Continually monitor and analyze SaaS activity: Implementing continuous monitoring and analysis of SaaS activity is crucial for detecting any suspicious or unauthorized behavior prior to sensitive data exfiltration. To do so, security teams need a complete understanding of which users and integrations are accessing their environment, what they’re doing, and when they’re behaving in a risky, unusual, or malicious way.

A Word to the Wise: Challenges to Consider

Before embarking on your SaaS security journey, Hammad recommends thinking through a handful of complexities that you will undoubtedly need to address when it comes to SaaS:

• User adoption and resistance: Introducing new security measures or restrictions can sometimes face resistance from employees who don’t understand them or perceive them as hindrances to their productivity. “Your SaaS Security Program is only as strong as the level of commitment you get from your application owners.”
  
  Remedy: User adoption of security practices requires effective communication, training, and ongoing support to ensure compliance. A well-established security standard can help ensure that. It’s also crucial to have an abstraction layer that connects app owners, security personnel, and governance teams and aligns them in a shared goal: deploying SaaS apps in a secure and compliant way.

• Fractured and incomplete visibility: Organizations often use multiple SaaS applications from different providers, each with its own security protocols and features. Coordinating and managing security governance across various SaaS solutions is complex and time-consuming when done manually. Decentralized control and lack of oversight make it difficult to establish a centralized program, leaving you vulnerable to security gaps.
  
  Remedy: Hammad recommends working with an SSPM provider for much-needed expertise and a scalable solution to ensure governance, risk, and compliance across your entire SaaS infrastructure.

• The evolving threat landscape and third-party integration risk: SaaS applications are designed to be interconnected, creating a seamless user experience with data synchronization between multiple services. However, integrating numerous third-party applications creates an elaborate web of shared data that is being actively targeted by bad actors. Third-party integration management is becoming a complex exercise in SaaS risk analysis and continuous threat management.
  
  Remedy: Leverage an SSPM provider for visibility into your integrations across the entire SaaS estate. This allows you to automatically remediate SaaS third-party integration threats in real time via centrally defined security policies.

By addressing these difficulties proactively, organizations can establish a solid and resilient SaaS security program that safeguards their digital assets.

Closing Recommendations for Ensuring Success

As we wrapped our conversation Hammad provided some closing advice: as this unique space continues to evolve, choose a SaaS security solution that you can partner with strategically to execute your SaaS Security Program. Leveraging the right technology will provide a complete understanding of your entire SaaS environment empowering you to proactively minimize risk, ensure compliance, and promptly identify threats in a scalable way.