The vast majority of organizations use cloud environments and many have multi-cloud implementations, with the average enterprise leveraging services from five cloud providers. Cloud computing is understandably popular, but it also poses a number of security threats including compliance issues, breaches of contracts, non-secured APIs and misconfigurations.
Software-as-a-Service (SaaS) environments are a particularly attractive target for cybercriminals because they tend to store a large variety and amount of sensitive data, including payment card details and personally identifiable information. Thus, it is crucial for companies to prioritize SaaS security.
SaaS security covers a range of practices that organizations implement to protect their assets when using a SaaS architecture. According to the UK’s National Cyber Security Centre (NCSC) SaaS security guidelines, responsibility for security is shared between the customer and the service provider or software distributor. Additionally, vendors are introducing SaaS Security Posture Management (SSPM) systems that can regulate and automate SaaS security.
In this article:
Many organizations are well-experienced in handling the security risks associated with Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) environments. IT and security teams typically collaborate using integrated business processes and programs. There is also a large market for IaaS and PaaS security and management tools.
SaaS applications tend to operate differently and offer advantages for organizations. However, they can be harder to manage in terms of security:
McKinsey conducted a survey of cybersecurity personnel from over 60 companies of various sizes and industries to see how they responded to SaaS security challenges. Most respondents mentioned having increased their focus on SaaS security, stressing the capabilities of their own security apparatus as well as their vendors’ security offerings.
As suspected, chief information security officers (CISOs) expressed significant levels of frustration with the vendors’ shortcomings in terms of security capabilities. They especially complained about contracting and implementation delays, and a lack of customer-centric approaches to security. They wanted SaaS vendors to do more to help security professionals understand the security capabilities of various products and configure and integrate them more easily with other security tools.
All companies surveyed had already started to transition to SaaS, with around half having used products from over 20 vendors, and a quarter having used products from over 80 vendors. Most respondents had deployed an SaaS offering in major areas such as IT service management and office automation.
However, many CISOs responded that their companies were not yet prepared for SaaS in certain critical areas, given the associated risks. For example, resource planning applications were seen as too vulnerable, as downtime could hinder the functioning of the entire enterprise. Likewise, companies were reluctant to adopt SaaS for applications containing health-related or mergers and acquisitions information, given the importance of maintaining data confidentiality.
The following practices are recommended for securing SaaS environments and assets.
Cloud providers can handle authentication in various ways, making it complicated to determine how users should be given access to SaaS resources. Some (but not all) vendors support integration with identity providers that the customer can manage, such as Active Directory (AD) with Security Assertion Markup Language, OpenID Connect and Open Authorization. Likewise, some vendors support multi-factor authentication, while others do not.
To navigate the various SaaS offerings available, it is essential that the security team understands which services are being used and the supported options for each service. This context allows administrators to choose the right authentication method (or methods) according to the organization’s needs.
A good option is to use single sign-on (SSO) tied to AD, if the SaaS provider supports it, as this ensures that the account and password policies correlate to the services in use for the SaaS application.
The channels used to communicate with SaaS applications typically use Transport Layer Security (TLS) to protect in-transit data. Some SaaS providers also offer encryption capabilities for protecting data at rest. This could be a default feature or may need to be enabled.
Research the available security measures of each SaaS service in use to determine whether data encryption is possible and make sure to enable the encryption when relevant.
Ensure you review and evaluate any potential SaaS provider (as you would with other vendors). Make sure you understand how the service is used and which security model is used to deliver the service, as well as any available optional security features.
It is important to be able to track all SaaS usage given that usage patterns can be unexpected, especially when applications are deployed rapidly. Make sure you search for new, untracked SaaS usage and stay alert for unexpected changes.
Combine manual data collection techniques with automation tools, where possible, to keep up with rapidly evolving SaaS usage and maintain a reliable, up-to-date inventory of the services employed and who is using them.
Consider using a Cloud Access Security Broker (CASB) solution for situations where the SaaS provider does not provide an adequate level of security. CASB allows organizations to add controls that are not included or natively-supported by SaaS providers.
Explore the tools available to address any shortcomings in the SaaS provider’s security model. You should also pay attention to the different CASB deployment modes so you choose the right deployment configuration (i.e. API or proxy-based) for your organization’s architecture.
Monitor your SaaS use and examine the data from tools like CASBs, and keep track of the data and logs provided by the SaaS provider. IT and security executives must treat SaaS offerings differently from ordinary websites, as they are robust tools demanding the same level of security as any enterprise application.
Make sure you implement measures for systematic risk management when adopting SaaS security best practices—this helps ensure that users employ SaaS safely and that your organization’s SaaS usage remains protected.
SSPM ensures that SaaS applications are properly configured to protect them from compromise. Cynet provides a leading SSPM solution that continuously monitors SaaS applications to identify gaps between stated security policies and actual security posture, letting you automatically find and fix security risks in SaaS assets, and automatically prioritize risks and misconfigurations by severity.
Cynet SSPM provides: