Try bringing up the topic of “SaaS Security” with anyone on a security team at a large organization. Either you’ll hear, “Yeah, it’s great that security is handled for us by name large SaaS platform here” or you’ll hear a big sigh followed by “yeah I have to sort this situation out soon…”.
In either case, the lack of awareness that SaaS customers have when it comes to security obligations, and/or the procrastination to address these responsibilities should be a cause for concern.
In 55% of the SaaS vulnerability assessments my company performs, we identify data leaking to the anonymous internet from SaaS environments. 95% of our SaaS vulnerability assessments reveal accounts with over provisioned external SaaS users. Additionally, in each SaaS environment, we identify an average of 42 connected third party applications. 22 of those 42 typically have access to sensitive data but haven’t been used in over six months.
In any other security context, we would declare the over provisioning of a guest user who has access to sensitive data to be a high-risk issue worthy of correcting immediately. We would attest that a third-party integration connected without a purpose, yet accessing critical business data, needs to be deprovisioned. And we would immediately lock down any issue that leaks our data to the anonymous internet, potentially even pulling in our IR or legal team to assess the feasibility of a response. In no other security domain would any of these outcomes be remotely acceptable to a security team. And yet when it comes to SaaS, all of these situations are commonplace. Why is this happening right underneath our collective feet?
For one, enterprise executives were told early on by some of this generation’s best salespeople that SaaS platforms were the answer to the constant security concerns that accompany on premise applications.
In reality, this is partially true. SaaS applications are provided with security built-in to the provider’s architecture, are hardened by some of the best security professionals in the industry, and go through rigorous testing. However, there are parts of the SaaS ownership model being wholly mismanaged - and that mismanagement is happening in the configurations that we as end-users are responsible for.
In fact, Gartner states that through 2025, 99% of cloud security incidents will be due to issues that are the customer’s fault. We‘ve seen over the last few years that cloud misconfigurations are detrimental to our security posture, and we’re all working hard to address those issues. We must do the same for SaaS applications or watch our progress in cloud security be diminished as we leak the same data we hustled to protect for the last half-decade.
There remains a fear of turning over the SaaS security stone as it could expose outcomes that will necessitate more work, more budget, and more anxiety. But ask any company who has suffered a cloud data leak, and they’ll tell you that it’s better, and cheaper, to be proactive than to react to bad news urgently, ruining your employees’ roadmaps and begging for budget to solve a highly predictable problem looming on the horizon. Modern security teams know that the time to act is before an incident has occurred.
The good news is that there’s momentum right now to build security controls into your SaaS deployment. Many organizations have enabled a hybrid approach within appsec that “builds security into” the deployment process. These practices are cost-saving, efficiency building, and more importantly, culture boosting. There is no reason that organizations should stop proactive security at application security - rather, building these practices into the management of critical SaaS applications and cloud infrastructure is sure to be the best-practice approach in coming years.
Below are some actions that organizations can take in order to kickstart a SaaS security program.
Invest in a scalable approach
Current security tool sets were built for a different era, when we were reacting to network activity and concerned about critical data being stored on premise or in monitored systems that we own. These security solutions don’t scale to the modern SaaS driven era we have entered. However, scaling a SaaS security program will be taxing on your team unless you recognize the need for technical automation via new, innovative solutions. The frenetically agile nature of SaaS environments requires some level of automation and some business “productization” to truly secure your enterprise deployment. Begin by investigating and identifying solutions and strategies that automate your SaaS security posture and detect deviations from best practices.
Recognize that this is a sincerely unique security function that deserves its own space
Don’t fall into the trap of assuming that this is just like solving the cloud infrastructure configuration problem. The reality is that with IaaS security, you’re only dealing with three main platforms (maybe 4 or 5 if you’re operating in Europe or Asia). IaaS principles are fairly interoperable, and there is a significant pool of talent who have experience with all the main platforms.
However, in the SaaS domain, you could be dealing with 1,000 applications and perhaps 10-20 that handle critical or sensitive data. Controls are unique across each SaaS app - there is very little interoperable knowledge across each application to help you secure your estate. Consider the staffing ramifications of deciding to approach this on your own, resourcing this by hiring experts in each SaaS application. You are much more likely to burn out your current staff than you are to hire all the talent you will need to manually mitigate this problem.
Take ownership together with your IT team
Recognize that this is going to hurt a little bit. Your line of business admins are not accustomed to inspection. For years, they have operated ensuring seamless functionality with very little oversight from the security team. By finally getting oversight into these business functions, you are about to make their lives a little bit harder in exchange for protecting your company from damaging data leaks. Therefore, make sure to bring your IT admins into the conversation early and identify common ground. Focusing on the efficiencies gained in the SaaS deployment security check has been a winning conversation point, as IT admins recognize that you’re looking to secure deployments without burning their teams out.
In conclusion, we are entering a new era where SaaS applications will be one of the primary attack surfaces available to external and internal attackers. Existing methodologies are not fit for purpose, but by leveraging automation and building an internal SaaS security program, your team can be ready to face what's to come in this realm.