According to Okta's Business of Work report, large companies use 187 different SaaS apps on average, and this number is only growing—Gartner reports that end-user spending on SaaS will reach more than $171 billion in 2022.
As this investment trend continues, new critical SaaS challenges emerge beyond the classic use case of misconfiguration and user permissions management, such as SaaS-to-SaaS access and device-to-SaaS-user posture management. This blog will give a brief overview of the trends in SaaS security.
An Unrelenting Volume Of Misconfigurations
Core SaaS offerings such as Office 365, Slack, Zoom and Salesforce, as well as the myriad of other SaaS apps that companies have deployed, are vital to a business's day-to-day operations. While these benefits are widely recognized, many companies are just now beginning to learn about the risk they introduce to the company.
Case in point, while app providers build in native security settings and configurations designed to protect businesses, the solutions can only be as secure as their weakest security control. This means that it is up to the organization to correctly configure all settings, continuously.
While that may seem straightforward, many don't consider how apps are like snowflakes when it comes to their build and security configurations—each has unique terminology, UI, etc. It is the security team's job to learn every app's "language." While that might not seem insurmountable, consider that many enterprises today have thousands of employees relying on hundreds of apps. This creates a chaotic SaaS environment where manual audits become impossible and unsustainable.
SaaS-to-SaaS Access Discovery and Control
Another growing SaaS challenge stems from SaaS-to-SaaS apps connected to the company’s core SaaS applications, also known as SaaS-to-SaaS supply chain. Today, employees are frequently prompted to give permission for one SaaS app to connect with another, and, for the most part, they oblige. That's where the problem begins. Today most users view this scenario from a productivity perspective—if they connect their SaaS apps, it will allow them to work more efficiently and ultimately help the business achieve its goals.
Every day, people give apps permission to connect with their Google Workspace or M365 environment (for example). By just clicking "accept," they give these apps permission to provide a new avenue for threat actors to gain access to valuable company data.
Now imagine this practice is happening throughout a business's workforce unbeknownst to the security team. The security team needs to see:
1. The SaaS apps that are being granted access to business-critical apps.
2. Which of these apps pose the most risk by the level of scopes (permissions) being given.
3. Which users, most especially the privileged users, granted them.
The security team needs to be equipped to decide whether to revoke access to these apps to the core SaaS apps, protecting the business yet still ensuring that the employee maintains the functionality required to do their job.
Device-To-SaaS Posture Management: The SaaS Security Zero-Trust Approach
In today’s hybrid working world, security teams must contend with threats of users accessing their SaaS applications from unsecured devices. While accessing a SaaS app via a mobile device helps boost productivity, it adds another challenge to the security team. It can pose a high level of risk for an organization, especially when the device owner is a highly privileged user.
To remediate potential threats, security teams need to be able to correlate SaaS app users, roles and permissions with their associated devices' hygiene. This end-to-end tactic enables a holistic zero-trust approach to SaaS security that is only now coming into the picture.
The Whole SaaS Security Picture
The bottom line is that checking for misconfigurations and misappropriated user roles and permission within business-critical SaaS apps is the classic SaaS Security Posture Management (SSPM). However, if the organization adopts a zero-trust approach, it is worth considering SaaS-to-SaaS access and device-to-SaaS-user monitoring and management an integral part of SSPM.
This is an excerpt from an article that was published in Forbes Council on August 10, 2022.