Cloud adoption continues to grow at a rapid pace, with no cloud service model experiencing more growth than SaaS. There’s no denying the transformative impact Software-as-a-Service (SaaS) has had on businesses of every shape, size, and industry.
Whether you’re talking about collaborative tools like Zoom, Slack, or Workday, or storage services such as Box and Snowflake, SaaS has become key to how modern organizations operate and do business. This is supported by economic metrics such as spending and has been further accelerated with COVID and the widespread adoption of remote working paradigms. SaaS has also allowed organizations to outsource many traditional IT and administration activities and instead consume applications that let them focus on their core competencies that drive revenue or mission outcomes. SaaS also allows organizations to maximize the Shared Responsibility Model of cloud computing. This means organizations don’t have to be concerned with things such as physical security, host infrastructure, networking, and even application-level controls in the traditional sense.
However, all of these benefits aren’t without their own tradeoffs, concerns, and ramifications either. In the case of SaaS, organizations still need to be concerned with key things such as data, access control, configuration management, and cybersecurity supply chain risk management.
If you’re utilizing a SaaS provider, you’re still responsible for access control at the application layer. This means you need to have rigor around who is accessing the applications, the data stored internally and how are you managing the identities associated with these applications. Organizations are also still responsible for data governance and security. What data are you placing in these SaaS applications? Do you have an acceptable level of assurance that the SaaS provider has security controls in place to safeguard said data?
Building on the topic of configuration management, just because the underlying infrastructure and platforms may be secure, there are still ample opportunities to implement configurations that can place your data and organization at risk. Each of the SaaS applications being consumed come with its own myriad of potential configurations that can be modified, for better or for worse, which can introduce significant risk. Keep in mind, one of the leading causes of cloud security breaches is customer misconfiguration, and this is no different in the context of SaaS, and if nothing else, it could be amplified.
Each organization is using 2-3 Infrastructure-as-a-Service (IaaS) Cloud Service Providers (CSP)’s such as AWS, Microsoft Azure or Google Cloud. This is exponentially increased in the context of SaaS, with large enterprises using up to 200 SaaS apps. The problem is only amplified by realities such as the IT/Security team only controlling 20% of SaaS apps and organizations adding on average 10 SaaS apps per month.
There are also significant cybersecurity supply chain considerations when it comes to the case of SaaS providers (and service providers in general). Software supply chain attacks are increasingly on the rise, as malicious actors realize they can target a single entity and have a cascading impact across many consumers and customers of the target. This is far more efficient, and far more damaging than targeting a single consumer organization alone.
This all isn’t to say organizations shouldn’t use SaaS, but they should certainly implement a SaaS Security and Governance program. This includes key activities such as discovering what SaaS applications are in use, remember one of the top security controls involves asset management. Secondly, it involves managing the SaaS you consume, meaning you need a process to review and approach requested SaaS applications, such as verifying their compliance and certifications with frameworks like SOC2 and FedRAMP as well as reviewing penetration testing reports, application security maturity, and more. Lastly, organizations should begin implementing SaaS security activities such as using tooling like Cloud Access Security Brokers (CASB)’s and potentially more importantly SaaS Security Posture Management (SSPM) tooling which can help you scan your SaaS footprints for misconfigurations, vulnerabilities, exposed data, and more.
Doing the activities discussed above can help you continue to utilize SaaS as the key business enabler it is, but do so in a fashion that doesn’t introduce your organization to undue risk and put your data or reputation at risk. As organizations mature in their Cloud and SaaS adoption, SaaS Security and Governance programs will become more of the norm rather than an outlier, and organizations will be safer because of it.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: