The data is in. According to IBM Security’s 2020 Cost of a Data Breach Report, there is a 50% increase in cloud usage for enterprises across all industries. The number of threats targeting cloud services, predominantly collaboration services like Office 365, has increased 630%. Moreover, 75% of respondents report that discovery and recovery time from data breaches has significantly increased due to remote work during the pandemic. Although organizations can save over $1 million if they discover a breach in the first 30 days, the average reported response time was a whopping 280 days.
In the remote-work world, SaaS apps have become an enticing vector-of-choice for bad actors. Just think of the typical employee, working off-site, untrained in security measures, and how their access or privileges increase the risk of sensitive data being stolen, exposed, or compromised. However, it doesn’t have to be that way — a company’s SaaS security posture can be strengthened and SaaS configuration weaknesses can be avoided. SaaS Security Posture Management (SSPM), as defined by Gartner, is critical to the security of today’s enterprise.
As Gartner’s own Tom Croll asserts in 3 Steps to Gartner’s SaaS Security Framework (December 2020):
“Increasingly, business-critical data is being processed by applications that exist entirely outside the corporate network, making traditional controls ineffective. New controls are needed to address these new realities,” He continues, “SSPM tools allow enhanced controls to further protect data stored in the most commonly used SaaS applications. Core capabilities include monitoring the configuration of native SaaS security settings, reporting non-compliance and auto-remediating violations to maintain alignment with multiple compliance frameworks.”
The Emerging Solution
There are many offerings in cloud security, but the SSPM solution is the only one that assesses the company’s SaaS security posture in a customized and automated manner, tailored to the specifications of each application and to company policy. And it's not a one-time assessment — it is an ongoing process that monitors and reinforces the company’s SaaS security.
Yet this foundational security step is often overlooked, for a variety of reasons. Many people don’t realize that there are two sides to securing company SaaS apps. While SaaS providers build in a host of security features designed to protect company and user data, it is ultimately beyond their control. Just as in any other part of the network, the IT or security team is responsible for protecting and managing the data, configurations, user roles, and privileges, regardless of their location.
For enterprise organizations, ensuring that all the SaaS apps are configured properly and have the correct user roles and privileges is not only a never-ending, time-consuming endeavor but an impossible one.
The Challenges to Managing the SaaS Security Posture
Dynamic and ever-changing — The SaaS environment is dynamic and continually updating. As employees are added or removed and new apps onboarded, permissions and configuration must be reset, changed, and updated. In addition, continuous, compliance updates and security configurations are needed to meet industry standards and best practices (NIST, MITRE, etc.), and security teams need to continuously ensure that all the configurations are enforced company-wide, no exceptions. With a typical enterprise having an average of 288 SaaS applications, this involves hours of continuous work and effort and is not sustainable.
Each app is a world unto itself — Each SaaS application has its own security configurations for compliance, like which files can be shared, whether MFA is required, whether recording is allowed in video conferencing, and more. The security team has to learn each application’s specific set of rules and configurations and ensure they are compliant with their company’s policies. As they are not the ones using the apps on a daily basis, they are rarely familiar with the settings, making it even harder to optimize the configuration.
Configuration management overload — The number of apps, configurations, user roles, and privileges that an organization needs to manage and monitor grows with every onboarded app. If you break it down into numbers, a typical enterprise has hundreds of SaaS apps. Each app has up to hundreds of global settings, not to mention enterprises that have thousands to tens (even hundreds) of thousands of employees. Security teams have to learn hundreds of app setups and monitor thousands of settings and tens of thousands of user roles and privileges — an impossible and unsustainable scenario.
No clear visibility or direct management— Most SaaS apps are purchased and implemented in the departments that utilize them most, for example, an automation SaaS solution generally sits in marketing, a CRM in sales, and cloud computing, productivity and collaboration tools in IT. These SaaS apps hold critical data on the company’s clientele and business projects. The SaaS owners are often not trained in security or vigilant in the continuous needs of configuration and posture. The security team ends up being in the dark about the security protocols in place and more importantly, are not focused on the exposure or risk.
Handling SaaS Security
In the remote-work world, organizations are even more vulnerable to SaaS security configuration weaknesses. Luckily, security teams can now turn to SSPM solutions like Adaptive Shield, to automate their SaaS security processes and address the challenges detailed above.
In business-critical apps, such as Salesforce, Office 365, G-Suite, and Zoom, the right SSPM solution can provide deep visibility and remediation for potential vulnerabilities in a company’s SaaS security posture, from misconfigurations and misappropriated privileges to suspicious SaaS usage. They are also adept at following the trail of policy changes and violations, making it possible to identify the source of accidental, intentional, or malicious alterations. These SSPMs are built to streamline and improve the security team’s efficiency, reducing their workload and stress, while increasing protection from potential exposures or breaches.
With no-code technology, Adaptive Shield enables security teams to easily see, monitor, and remediate all their company’s SaaS (mis)configuration and user role information for an endless array of SaaS apps: from video conferencing platforms, customer support tools, HR management systems, dashboards and workspaces to content, file-sharing applications, messaging applications, marketing platforms, and more.
Learn more about how Adaptive Shield prevents misconfigurations and vulnerabilities in your SaaS estate that could lead to a leak or breach.
This post was first published in The Hacker News on April 5, 2021.