How to avoid the biggest mistakes with your SaaS security
This blog was originally published on Wandera.com
The biggest mistakes in SaaS security
The popularity of SaaS applications for businesses continues to grow with 95% of businesses hosting sensitive information in the cloud. Traditional security models and boundary-focused, rely on firewalls and other perimeter appliances. These models are not compatible with modern cloud orientated services and as a result, businesses have had to adapt their security strategies.
In this blog, we cover the top three mistakes that are made in SaaS security:
- Focusing on identity authentication
- Assessing risk only when a session is initiated
- Leaving applications exposed to outside parties
Focusing on identity authentication
In the past, when applications were hosted on the corporate network and only accessible from the office, security teams could reasonably trust that the device being used to connect was authorized. To ensure that only the approved workers had access to applications, users were provided with login credentials.
In contrast, SaaS applications are accessible to any user with any endpoint from any location. To mitigate the risk of credentials being stolen many businesses have stepped-up their identity authentication measures by implementing multi-factor authentication (MFA). MFA requires, in addition to credentials, at least one other form of identification is provided. Other forms could be something the user has, such as a phone that receives an MFA token via SMS, or something they are, for example, biometrics, so someone’s fingerprint.
While MFA is a recommended security practice it does not provide enough security when deployed alone. A legitimate user could be using an endpoint with an out-of-date operating system, malicious or leaky apps, or be connected via a risky network, which all have the potential to lead to a data breach.
Businesses need to ensure that the user is authenticated and the endpoint is secure, and only provides access to SaaS applications when both of these requirements are verified. Some businesses do check device health via their UEM or IdP, however, these checks are often cursory and lack depth. Gartner has highlighted Mobile Threat Defense as a comprehensive tool for evaluating whether an endpoint is secure, this is a solution which you should consider adopting for enhanced visibility over your environment, and for identifying and preventing cyber attacks.
How often should threats and vulnerabilities be assessed?
You should be assessing risk only when a session is initiated. Many tools are configured to conduct assessments at the time of authentication, or when a new session begins. While this is logically an important time to assess risk, in practice, it is insufficient for protecting a SaaS application.
Many SSO tools keep sessions alive and users authenticated for days, weeks, and even months. This leaves a lot of time between assessments, during which the security risk can change dramatically. A user could allow vulnerabilities to go unpatched, accidentally install suspicious software or connect to unsecured Wi-Fi. When any of these events occur businesses preferred policy might be to disable access to SaaS applications until it is resolved, but without assessment, this is not possible.
One of the many benefits of SaaS applications is that they can potentially be accessed by a user from any location with a personal device. Personal devices give workers enormous flexibility, and, as a result their use typically drives an increase in productivity. However, the potential for personal devices to be misconfigured or be exposed to threats is greater than that of a managed corporate device.
It is essential that businesses select tools that continuously assess risk and create policies that can be enforced the moment risk is detected.
Leaving applications exposed to outside parties
SaaS applications are hosted on the internet, which is great for productivity because the service is available all time and everywhere. However, this means that anyone can discover you are using the service and attack it. While login screens such as [YourBusinessName].[SaaSservice].com might be convenient, it is effectively a signpost for bad actors.
Preventing unauthenticated and unauthorized parties from accessing applications is one of the most important principles of Zero Trust Network Access (ZTNA). ZTNA is the best practice framework for secure access to business applications. Unfortunately, many businesses are not ZTNA ready and will need to update their security strategy.
If businesses have not created a ZTNA roadmap, they should begin building one to kick off the transformation. However, one of the essential building blocks is a Software-Defined Perimeter (SDP), which businesses can begin implementing today with very little work or cost.
SDP utilizing modern protocols such as Single Packet Authorization are considered best in class. This protocol drops packets if they come from an unverified source, cloaking any business application protected by it. This technique is also effective at providing DDoS protection because there is no overhead expended responding to packets.
Summary of the SaaS security pitfalls
SaaS applications are exposed to different attack vectors and vulnerabilities than their on-premises counterparts. This mandates a new security strategy, ZTNA, to ensure that the business is adequately protected. To avoid common mistakes and to enhance SaaS security businesses should:
- Authenticate users and secure endpoints before granting users access to SaaS applications.
- Create policies that continuously assess risk and enforce policies to mitigate risks the moment they arise.
- Eliminate the broad accessibility of SaaS applications by cloaking them until users and endpoints are verified.