Misconfigurations 101: The Three V’s of SaaS App Configurations Weaknesses
Published 10/14/2022
Originally published by Adaptive Shield here.
The ease with which SaaS apps can be deployed and adopted is remarkable, but it has quickly become a double-edged sword. On one hand, the availability of SaaS tools enables employees to work from anywhere. For IT and security teams however, the adoption of SaaS apps has become a daunting endeavor.
CISOs and security professionals have cited SaaS misconfigurations as a leading cause (up to 63%!) of security incidents in the past year. Misconfigurations are brought on by many different factors, the top three can be summed up into the three V’s:
Visibility
There is an inherent paradox in SaaS security: Most SaaS app owners and admins, the ones responsible to manage the app’s security settings and have profound control, are individuals who sit outside the security department. Business departments own these apps because it's what allows them to do their job efficiently. However, these individuals are untrained and not focused on security measures; these admins are working towards their departmental KPIs. For instance, Hubspot is usually owned by the marketing department, likewise, Salesforce is often owned by the business and/or Sales department, etc. Yet, it’s the security team's responsibility to secure the organization's SaaS app stack and they cannot effectively execute this task without full control and visibility of the SaaS app. The security teams often end up in the dark about the security protocols in place — and need to proactively check in with the numerous app owners to see the configurations and remediate any issues.
Volume
If you break it down by the numbers, a typical enterprise has hundreds to thousands of SaaS apps. Each app has as many as hundreds of global settings such as which files can be shared, whether MFA is required, if recording is allowed in video conferencing, and more. Multiply this number by thousands – or tens (or even hundreds) of thousands – of employees.
Security teams must familiarize themselves with each application’s specific set of rules and configurations and ensure they are compliant with their company’s policies. With hundreds of app setups and tens of thousands of user roles and privileges, this quickly becomes an unsustainable scenario. Not to mention the SaaS-to-SaaS apps that are being added to the organization’s ecosystem without the security team’s knowledge.
Velocity
The SaaS app environment is dynamic and continuously evolving. Employees consistently are added or removed, new apps onboarded with permissions and configurations set, reset, changed and/or updated. There are also continuous, compliance updates to meet industry standards and best practices (NIST, SOC2, MITRE, etc.) that need to be checked. Security teams need to continuously ensure that all configurations are correctly configured company-wide, with no exceptions. Considering the high volume of apps and configurations, as mentioned in the first ‘V’, this translates to hundreds of hours of continuous work and effort that is just not sustainable.
How to Gain SaaS Security Control
Companies aren’t about to slow down their adoption of SaaS apps and with each new app integration comes a series of new configurations to secure. To regain control, organizations need a solution that can resolve all the challenges brought on by these 3 Vs: Volume, Velocity, and Lack of Visibility.
Organizations can ease the burden of misconfiguration management by implementing an automated solution, such as SSPM, that offers:
- In-Depth Monitoring and Alerting to run security checks by app, user, severity or any other metric indicating a misconfiguration in your SaaS and get alerts when these configuration drifts happen.
- Automation & Remediation to get a step-by-step remediation description to see exactly how to fix the SaaS misconfiguration
- User Inventory to enable seamless user management and investigation across all SaaS apps; from user access to specific apps, through their privileged roles & permissions, up to which security checks they failed at while focusing on privileged users.
- Compliance Mapping to compare SaaS security checks with the major industry standards, such as NIST, SOC2, ISO, to ensure you comply or build your own custom company policy.
Misconfiguration management is one of the crucial areas security teams need to secure, but not the only area that secures an organization’s SaaS stack. Other key areas include SaaS-to-SaaS Access and Discovery and Device-to-SaaS User Management. The right SSPM solution will allow security teams to not only gain control of their misconfigurations but also these additional use cases to ensure an organization’s overall SaaS security.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024