The ease with which Software as a Service (SaaS) apps can be deployed and adopted is remarkable, but it has quickly become a double-edged sword. On one hand, the availability of SaaS tools enables employees to work from anywhere. For IT and security teams however, the adoption of SaaS apps has become a daunting curse. Remember when cybersecurity was mostly about firewalls, VPNs and antivirus software? Those days are long gone. Now, one of the most prevalent places for exploitation has to do with misconfigurations found in an organization's SaaS apps.
Eighty-five percent of information security professionals cite SaaS misconfigurations as the third highest risk facing today’s organizations, according to the Adaptive Shield 2021 SaaS Security Survey Report. As businesses rely on an increasing number of SaaS applications, misconfigurations are exacerbated by businesses placing unrealistic expectations on app owners — that is, less-trained employees who sit outside the security department’s day-to-day purview.
There are two sides to securing SaaS applications. Today, SaaS providers build in a host of security features designed to protect company and user data, but whether or not these features get used is ultimately beyond their control. Just as with any other part of the network, IT or security teams are responsible for protecting and managing the data, configurations, user roles and privileges, regardless of their location. Ensuring all SaaS apps are configured properly and have the correct user roles and privileges is not only a never-ending, time-consuming endeavor, but an impossible one, especially if the burden is placed on the app owner. When it comes to SaaS security challenges, the top three most common ones can be broken down into the three V’s.
There are too many apps to manage, configure and update. Each SaaS application has its own security settings, such as which files can be shared, whether MFA is required, if recording is allowed in video conferencing and more. Security teams must familiarize themselves with each application’s specific set of rules and configurations and ensure they are compliant with their company’s policies. With hundreds of app setups and tens of thousands of user roles and privileges, this quickly becomes an unsustainable scenario.
As employees are added or removed and new apps are on-boarded, permissions and configuration must be reset, changed and updated. In addition, there are continuous, compliance updates and security configurations to meet industry standards and best practices (NIST, MITRE, etc.). It's up to the security teams to continuously ensure that all the configurations are enforced company-wide. Further, security teams must stay on top of hacking attempts on their SaaS applications.
Most SaaS apps are purchased and implemented by individual departments. As touched on earlier, SaaS owners are often not trained in security and are not vigilant in the continuous needs of configuration and posture. As for security teams, they may be unaware of the app owner’s behavior if acquired by a single department.
While no one questions the need to leverage SaaS applications, employees with access or privileges often leave a company exposed, either on purpose or by accident. Between accidental shares or changing a folder from “private” to “public” so that the data can be retrieved by anyone and more, it’s clear employees’ use of SaaS apps need to be configured correctly as well as monitored.
To regain control, organizations need deep visibility and remediation capabilities to prepare for any SaaS misconfigurations that leave them vulnerable to attack. By focusing on the three V’s of SaaS security, organizations can streamline and improve their security team’s efficiency, reducing their workload and increasing protection for the company against any potential exposure or breach.