What It Takes to Tackle Your SaaS Security

Eliana Vuijsje
July 26, 2022
share:

It’s not a new concept that Office 365, Salesforce, Slack, Google Workspace or Zoom, etc. are amazing for enabling the hybrid workforce and hyper productivity in businesses today.  However, there are three main challenges that have arisen stemming from this evolution: (1) While SaaS apps include a host of native security settings, they need to be hardened by the security team of the organization. (2) Employees are granting 3rd party app access to core SaaS apps which pose potential threats to the company. (3) These SaaS apps are accessed by different devices without their device hygiene score even being checked. 

1. Misconfiguration Management

It’s not an easy task to have every app setting properly configured — at all times.  The challenge lies within how burdensome this responsibility is — each app has tens or hundreds of security settings to configure, in addition to thousands of user roles and permission in a typical enterprise, compounded by the many compliance industry standards and frameworks that organizations strive to follow. 


The complexity to secure SaaS apps is only increased by the fact that often the SaaS app owner sits outside the security team, in the department that most uses the app (think Sales has CRM app, Marketing has automation app) — and they are untrained and not focused on the security upkeep of the app. It all amounts to just how burdensome and unrealistic it is to expect security teams to be able to stay in control of the organization’s SaaS stack.

2. 3rd Party App Access

OAuth 2.0 has greatly simplified authentication and authorization, and offers a fine-grained delegation of access rights. Represented in the form of scopes, an application asks for the user's authorization for specific permissions. An app can request one or more scopes. Through approval of the scopes, the user grants these apps permissions to execute code to perform logic behind the scenes within their environment. These apps can be harmless or as threatening as an executable file.
When it comes to local machines and executable files, organizations already have control built in that enables security teams to block problematic programs and files. It needs to be the same when it comes to SaaS apps.

3. Device-to-SaaS-User Posture 

From first entry through to the device posture, security teams need to be able to identify and manage the risks coming from SaaS users and their associated devices. A device with a low hygiene score poses a high risk depending on which apps this employee is using. In the case of a highly privileged user, an unsecured device can pose an even higher level of risk for an organization. The security team needs the ability to correlate SaaS app users, their roles and permissions with their associated devices’ compliance and integrity level. This end-to-end approach enables a holistic zero-trust approach to SaaS security that is only now coming into the picture. 

SaaS Security Posture Management Handles the SaaS Stack Challenges 

That’s why Gartner named SaaS Security Posture Management (SSPM) as a MUST HAVE solution to continuously assess security risks and manage the SaaS applications' security posture in the “4 Must-Have Technologies That Made the Gartner Hype Cycle for Cloud Security, 2021.” Other cloud solutions don’t offer preventative coverage. For example, a CASB solution is event-driven; CASB will alert the organization to a SaaS leak or breach only once it has occurred. 

Our SSPM solution comes into play to enable security teams to identify, analyze, and prioritize misconfigurations as well as provide visibility to 3rd party apps with access to their core apps and Device-to-SaaS-User posture management.

This is an excerpt from an article that was  published in The Hacker News on July 11, 2022.

About the writer

Eliana Vuijsje
Marketing Director
What It Takes to Tackle Your SaaS Security
Eliana is a marketing strategist with a passion for technology and storytelling. With an MA in conflict management and negotiation and a BA in Communications, Eliana hit the ground running after moving to Israel. Eliana’s work has been featured in places like Slashdot, the RSA conference and Facebook’s PyTorch publications. Since joining Adaptive Shield, Eliana has grown into a SaaS app security lobbyist telling everyone to secure their SaaS app estate. Oh, and she loves steak.