SaaS Insecurity: How to Regain Control

By Andrew Sweet, AppOmni.

Is your SaaS environment running? Then you better go catch it! Or, better yet, secure it.

Jokes aside, it’s common knowledge these days that SaaS environments are popular for their agility and scalability, helping businesses streamline operations, improve customer retention and much more. Done right, SaaS enables enterprises to make rapid, informed decisions and gain competitive advantage. But SaaS security is one of the most significant gaps in almost every organization's security posture, even though SaaS platforms house massive amounts of critical data. When the status quo is an annual (or quarterly at best) security assessment of a cloud service that consistently delivers updates once or twice a month in the background without visibility or guidance from InfoSec…. it’s time to recalibrate and disrupt the status quo.

Although SaaS platforms interact with sensitive, critical data, they often bypass security team scrutiny. In fact, many organizations have fallen short of defining even a minimum viable security posture for SaaS (except for data loss protection for transferring unstructured files). One of the biggest risks in SaaS is third-party apps that forge hidden pathways into a company’s most sensitive data, often with API connections or OAuth tokens that are undetected by traditional scanning and monitoring tools. And alarmingly, these apps are often approved and integrated by everyday users with no malicious intent but little understanding of cybersecurity and/or cloud.

Adding to the complexity, many organizations over-provision user access permissions and the permissions requested by many third-party apps to integrate into SaaS environments are typically quite excessive and often poorly managed. AppOmni’s research has found that 95 percent of companies have external users with over-privileged data access. And 55 percent of organizations leveraging SaaS have sensitive data inadvertently exposed on the internet, often due to misconfiguration. In other words, if your business uses SaaS there is a better chance you have sensitive data unknowingly exposed than not.

As Stan Lee, creator of Spider-Man taught us: with great power comes great responsibility. SaaS definitely gives enterprises great power, and organizations must embrace the responsibility to securely leverage that great power. We’ve seen consistent 20 percent-plus growth in SaaS spend every year in a $330 billion industry. With a focused approach, SaaS environments can be more secure and deliver greater results for your business.

5 Steps to Regain Control of SaaS Security

Here are 5 steps enterprise IT organizations can take to enjoy the benefits of SaaS while minimizing the risks.

1. Understand the Shared Responsibility Model.

You are 100 percent responsible for the governance of your data in the cloud. The vendor provides a secure platform, and the client organization is responsible for configuring, managing, and securely using the SaaS platform. This requires planning, automated guardrails, continuous monitoring and a common language to speak between InfoSec and App Owners.

2. Define Ownership.

With SaaS platforms impacting any number of business units while being managed by disparate IT groups, defining ownership of SaaS security is mandatory. Identify AppSec teams and Product Owners and establish a regular cadence of communication. Assign those teams individual responsibilities for remediation and configuration/data access monitoring adhering to security best practices defined by InfoSec.

3. Reevaluate Traditional Approaches.

Two of the most common approaches to SaaS security are Cloud Access Security Brokers (CASBs) and pentests. While helpful, they have significant limitations. CASBs rely on an architecture originally built as an extension of network security to analyze and broker traffic to the cloud. After inspection of the traffic funneled through the proxy, CASBs lose visibility to that traffic. Furthermore, they’re not looking at the traffic bypassing the proxy gateways and connecting directly to SaaS providers. Pentests are great ways to validate and bolster your security posture, but they are a point-in-time snapshot and rendered obsolete as soon as configurations change, vendors push out patches or updates or new users are onboarded. Think holistically and adopt solutions that are “always on” to maintain secure configurations.

4. Don’t Boil the Ocean.

Be strategic. Be pragmatic. Standardize. Identify the top 3-5 SaaS apps in your organization (good indicators are number of users, annual spend, and value of the data). Use tools to automate and reduce time to deployment. Look for tools that span all data access points and continuously monitor users, data access, and configurations. The best solutions will be designed by engineers who have intimate knowledge of emerging and established SaaS apps and have a deep bench of in-house product security expertise. A best practice to quickly and effectively scale security to dozens or hundreds of SaaS apps is to vigorously standardize security and build it into the foundation of your program, from the ground up.

5. Don’t Be an Ostrich.

Don’t wait for an issue to arise to review your SaaS security strategy. It costs $0 to define ownership of SaaS Security and establish a relationship and consistent communication between InfoSec Architects and Product/App Owners. That’s also a great way to lay the groundworks for a SaaS Center of Excellence.

With most cybersecurity teams running at 120%+ utilization and an unprecedented worker shortage keeping resources lean, being proactive is challenging. But with an understanding of how SaaS environments can become a liability and implementing protections against that, organizations can maximize the full potential of their technology ecosystem. It’s time to start rethinking the approach to SaaS security management and regain control of your SaaS environments.

About the Author

Andrew Sweet helps enterprise organizations at AppOmni and has been advising clients on advanced technologies for almost 20 years. His experience includes building the market for Cloud Security Posture Management at RedLock and helping to build the market-leading cloud-native security platform Prisma Cloud at Palo Alto Networks.