Improving Data Security for SaaS Apps - 5 Key Questions every CISO needs to ask
Summary: The rapid uptake of game-changing SaaS applications has been transforming the way organizations do business long before COVD-19 emerged and the remote workforce exploded overnight. These key business enablers - including Salesforce, ServiceNow and Workday, among many others - offer indisputable strategic and operational benefits given their cloud orientation. Yet, among the few obstacles to even broader adoption, security and compliance considerations remain tangible challenges, especially given even broader, post-pandemic adoption. Today’s security practitioners need practical guidelines and technical capabilities that support their expanding SaaS usage.
Most of today’s organizations continue to pursue an aggressive multi-cloud strategy when it comes to engaging popular SaaS apps such as Salesforce, ServiceNow, and Workday, among many others. The key drivers of this adoption are clear as these tools offer best-in-class capabilities for automating critical workflows. From enabling real-time collaboration from any location to offering more efficient operations and pricing models, these SaaS apps have fundamentally changed the way we do business.
Now, with COVID-19 driving a massive expansion of the remote workforce and further emphasizing the inherent value of these platforms, organizations are even hungrier to deepen and optimize their use of the cloud.
At the same time, as the use of key enabling SaaS apps continues to increase, so do related security considerations; this includes everything from enforcing proper access to effectively maintaining data security. High-profile data breaches such as the Equifax and Capital One incidents have clearly raised serious concerns around securing data in the multiple SaaS apps, in particular.
Regardless of where data is stored in these tools, it is prone to zero-days, bad actors, and even more common issues of human error or broken business process. Further complicating this situation is the fact that enterprises rarely get to apply, if ever, a “one-size-fits-all” approach to SaaS apps data protection.
To wit, some data by its nature needs to be accessed by a wide group of users, while access to more sensitive data most often needs to be limited to a smaller subset. And there is an almost endless array of use case requirements across every organization, and its partners, creating daunting levels of complexity.
For example, in the healthcare setting, medical records are extremely sensitive and typically required by law to engage specific controls. Yet, to enable the business and support legitimate workflows, proper data protection depends on finite matters of context. Extrapolate this across all of the unique roles and data workflows ongoing across a popular SaaS app within a large hospital or health insurance provider and you begin to get a feel for the larger challenges.
So, it would seem that to cover all the SaaS apps security bases, today’s CISOs and InfoSec teams must ask themselves some key questions, including:
- What use cases do SaaS applications’ native security tools address, and where is there a need for additional coverage?
- How well is cloud data protected from insider and external threats such as compromised accounts, theft, and malware?
- Does the organization have sufficient capabilities in place to identify, monitor, and enforce adherence with related security and compliance policies?
- How well are controls implemented when it comes to supporting both managed and unmanaged devices to enable the remote workforce?
- Do the SaaS apps comply with the regulations on data protection and privacy such as GDPR, CCPA, HIPAA, PCI, GLBA, and ITAR?
Solutions such as Cloud Access Security Brokers (CASB) apply a Zero Trust approach to cloud data security - a strategy focused specifically on protecting your sensitive enterprise SaaS apps data to answer these specific challenges.
A CASB’s central premise should be granular and policy-based data protection to cover every scenario. This means that security policies must travel with the data and maintain exclusive control over access and handling, regardless of where it resides in the cloud. This enables enterprises to safely adopt a multi-cloud strategy, ensuring that confidential and sensitive data is protected across all locations - in the cloud, on managed user devices, and unmanaged remote endpoints.
To learn more about best practices for SaaS apps security, register for the webinar “5 Steps to Improving Data Protection for Salesforce, ServiceNow and Workday”.