Meet Brian Soby- he has held security leadership roles at Salesforce and in the financial tech industry. Prior to founding AppOmni, Soby founded a cloud software security consultancy. He served as Director of Security at Taulia and managed all security functions, including product/application security, compliance, physical security, and corporate information security. Before that, he was the Director of Product Security at Salesforce and a Lead Security Engineer at MITRE.

Here, we talk to Soby about how organizations can avoid today's biggest challenges with Software as a Service (SaaS). 

Security magazine: What is your background, and current responsibilities as CTO of AppOmni?

Soby: My background is largely security. I started off in the government space working for a defense contractor and then to MITRE, a federally funded research and development center. While MITRE is a great organization with a great mission, I switched career paths to move to the west coast and attend business school. That’s when I joined Salesforce and really started to understand the challenges associated with running SaaS applications at scale (from both customer and provider perspectives). Later, I would experience more real-world examples of these challenges after starting a security consultancy that focused on software and SaaS security. 

It was this experience that led me to reconnect with Brendan O’Connor, now CEO of AppOmni, identify the broader industry issues and their root causes, and together start AppOmni to solve these problems for customers. 

Today, I help educate customers about the nature of security challenges when using SaaS and work with a fantastic team of fellow security professionals and engineers at AppOmni to create a SaaS Security Posture Management (SSPM) platform. On a day to day basis, this means meeting with customers and prospects to understand their security concerns, drawing from the decades of experience from our team to help educate them about key responsibilities and pitfalls, and steering the product and technology organizations at AppOmni to expand our platform to efficiently address these problems.

Security magazine: Why is SaaS application security important?

Soby: As organizations have transformed their businesses and operations in 2020, including the adoption of SaaS technologies as a result of increasing WFH initiatives, cyberthreats have followed suit. A  recent survey conducted by AppOmni directly correlates the increasing adoption of SaaS to the shift to remote work. The same survey illustrates how IT administrators, who have received additional responsibilities due to WFH initiatives, have less time to effectively manage and secure their SaaS environment. Adoption of new technologies and services coupled with lack of time and expertise by security teams  is a perfect recipe for cyber threat. The benefit of anywhere access to SaaS applications and data is attractive to bad actors that no longer need to wade through different layers of security traditionally implemented in a typical office/datacenter setting.

Security magazine: What makes SaaS application security difficult?

Soby: SaaS applications require deep knowledge and expertise to operate. Most security teams simply do not have access or knowledge to operate a wide variety of SaaS applications, let alone 3rd party application providers, that are powering the businesses. It is like knowing how to operate a boat and thinking you can fly a helicopter. SaaS users can unintentionally make configuration changes that put the organization at risk simply because of lack of knowledge. Security teams are typically tasked with securely managing and maintaining 5 or 10 SaaS applications at a time, and as SaaS adoption grows, they simply lack the bandwidth and expertise to manage them all. 

Security magazine: How do you solve these challenges at the enterprise level?

Soby: Security professionals have been preaching for years that the perimeter is dissolving. Remote work throughout the pandemic has solidified that case more than any whitepaper, blog post, or tech talk ever could. Security teams have two decades of experience protecting the corporate network, and putting the proper detections in place for their internal systems. In the world of SaaS and remote work, those internal defenses sit idle and provide limited value. Securing a remote workforce and distributed cloud applications is a much different challenge than securing the corporate network. Successful organizations will focus on putting controls directly on the data, wherever it may live. Since our users and data live outside the firewall now, we can no longer build a wall around our network to keep the good people in and the bad people out. 

Security magazine: How do you structure an enterprise program for successful SaaS application security?

Soby: With enterprises shifting to a virtual and remote workforce, many are moving their business applications and data to the cloud. As a result, IT staff are tasked with the management and security of multiple SaaS applications and rapidly growing cloud presence. IT staff had to forgo any security benefits they had from network segmentation afforded by traditional office networks and in some cases, start from scratch. In doing so, they are not equipped with tools to scan APIs between applications, automate SaaS configurations, monitor changes to the environment, and assess user access or activity - all key components needed to securely manage and maintain one's SaaS environment. 

The shift to the cloud, unfortunately, has not gone unnoticed by hackers and bad actors. As organizations play catchup, attackers are shifting their strategy to leverage the lack of SaaS expertise and necessary tooling to monitor and keep attackers at bay. As more and more organizations adopt the virtual workforce model for the long haul, we should expect SaaS to be increasingly targeted by bad actors.

At most companies, their top 10 to 15 SaaS applications represent 80 to 90 percent of their risk. While SaaS application usage typically has a long tail with dozens or hundreds in use at medium or large sized companies, the risk of the 25th most important application is an order of magnitude less than the 5th most important application. 

The key to securing these applications is depth of visibility and security insight. For larger applications such as Salesforce and ServiceNow, the security team’s counterparts in IT have gone through months or years of training and often specialize and make careers out of operating a single product. Security teams, on the other hand, seldom have that opportunity and are usually accountable for the security of 5 or 10 large applications without the benefit of that training. The key for these teams is to leverage management platforms that incorporate that expertise and allow them to leverage that embedded knowledge without forcing them to become experts in each system. Additionally, effective security management of these systems (as would be recommended by the internal security teams of any of the vendors) necessarily blends configuration analysis, posture analysis, and monitoring. A program incorporating only one or two of these areas will always have major gaps that create unmitigated risks.

Security magazine: What are some important considerations when choosing SaaS application security vendors and tools? 

Soby: Some organizations are trying to maximize their existing security investments to secure the growing dependence on SaaS. However, this approach is yielding limited returns. Although you gain the benefit of familiar technology and existing policies, you also bring the reactive nature of these solutions and architecture not well-suited to maximize the benefit of cloud services. Organizations should look to upgrade to a new and modern breed of solutions, such as SaaS Security Posture Management (SSPM), which are designed for the cloud and offer a proactive approach to security. I expect the new breed of solutions to gain even greater traction in 2021 as organizations continue to transform at an accelerated rate.