SaaS (software-as-a-service) use is growing, and fast! It’s a great deal for both users and software companies. SaaS apps work well with our new reality of having some (or all) workers spread across a large geographical area. But all this spread-out SaaS use creates an issue for security. And just like SaaS has grown, so has the need to keep it all secure.
When making the decision on how to effectively secure your SaaS environment, there are some important capabilities to consider,
Here are 7 essential elements to look for in any SaaS security solution:
1) Prevents exposure of sensitive data
SaaS users often share files with each other that contain sensitive data such as login credentials, AWS keys, or simply information that should remain private. Security threats can start to materialize when users share a file with someone outside the organization and then totally forget about it, never ‘unsharing’ it. Or worse, a file will be set to “share with anyone,” sent to everyone involved, and then forgotten about, left open and unattended from that day onward. Anyone online with the file link can access it.
Information is the primary asset that needs to be secured, and it is what hackers usually go after in one form or another, so securing it should be one of the primary goals of good SaaS security.
2) Finds risky App2App connections
App2App connections make SaaS apps work really well with each other. But as more apps grow inter-connected, it builds a sort of “shadow network” that starts to pose security threats. SaaS security needs to be able to automatically find and fix any risky app2app connections or else it leaves a huge gap in security.
3) It helps with deciding which apps to avoid
While some SaaS apps just need to be configured safely, others should be avoided altogether for the security risks they pose to an organization. SaaS security needs to be able to help with this important decision of which SaaS apps to use and which to avoid. As most companies use hundreds of SaaS apps, the ideal solution would have a system to generate a security score for each app found and base that security score on real-world aspects of the companies that offer each SaaS app, such as regulatory compliances and business information like company size, is the company public or private, and their history of incidents. Once there’s a security score for each app, security teams can decide which score is the cutoff point.
The ideal SaaS Security solution should have a large database to ensure maximum visibility with a lower chance of missing anything. The database would also need to be updated regularly, especially with urgent issues such as any new vulnerability found in any app, or business changes such as a SaaS app’s company having an IPO and “going public” -which would increase its security standing. Having an “alive” database is as important as its size. Additionally, the database should be searchable so that SaaS apps can be “looked up” before being on-boarded and avoided if they might pose a risk.4) Finds user anomalies, inconsistencies, and unusual user behavior
Unusual user behavior is usually the first sign that a breach or hack of some kind may be occurring. By quickly identifying any user anomalies such as user inconsistencies or accounts that have been inactive for too long, a hack can be stopped early, sometimes even before a breach occurs.
Another common issue: Off-boarding ex-employees. Every company, small and large, has ex-employees. Those ex-employees had an email account and probably used it to log into SaaS apps. Many of their tokens, permissions, and other privileged access remain open until they’re revoked or expire. A good SaaS security solution should help quickly revoke this access, as well as detect any suspicious files suddenly used from any old accounts.
5) Must be Automated, and not a burden on security teams
Having a big list of security issues isn’t much use if you can’t fix those issues in a timely fashion. It just creates a huge backlog of work! More importantly, it’s critical that issues are fixed faster than they’re created. To realistically provide SaaS security to large organizations, the solution would need to leverage the power of automation to fix the issues it finds quickly.
Automating SaaS security helps in two ways. Firstly, it makes it possible for Security teams to realistically tackle all (or at least most) of the issues. Secondly, when responding to a security-related event, the faster a solution/fix can be rolled out, the less damage it will be able to cause.
6) Detection must be continuous yet non-intrusive
SaaS security needs to always be ON. It must include a system in place that constantly monitors and detects any new SaaS activity. However, this detection must happen without being intrusive. SaaS security should avoid using solutions that use a proxy, or are a proxy, or use any form of agent. Aside from slowing down the whole detection process, those often invade employees’ privacy, which is a big concern for many users.
When SaaS detection can be achieved without being intrusive, it’s quicker and easier to get the required approvals granted for the detection started. This ease of implementation, in turn, drastically expands the scope and speed of which SaaS apps can be looked for and found.
7) Option of involving the end-users
There are several important reasons why proper SaaS security would need to sometimes involve the end-users, and it really depends on the culture of each organization. The first reason is that when automation is introduced to fix security issues, you might want to “run it by” the ‘owners’ of those apps (or files) to prevent anything critical from being revoked or deleted. The other reason is that by involving the end-users, they quickly grow aware of what might lead to an issue and what is safe, making SaaS security a company-wide effort, and the organization’s overall security posture improves over time.
When SaaS security successfully combines automation and end-user engagement, it creates a well-oiled machine in which the automation does the work of keeping SaaS hygiene at the max while end-users provide oversight to prevent wrongful actions and learn something about security from the process.
Moreover, as end-users develop a stronger understanding of SaaS security over time, they become an asset to overall cybersecurity. Imagine that! Users not being a liability, but an asset to company security. That is the way it should be with good SaaS security.
The Final Ingredient
There is one more secret ingredient that makes SaaS security complete. It must have all of these. All seven. If one of these seven ingredients is missing, then that’s an attack surface that can be exploited. SaaS security must be able to protect sensitive data from exposure, find risky App2App connections, help with knowing which apps to avoid, find any user-related issues, provide automation for tackling tasks loads, detect new SaaS apps continuously yet non-intrusively, and keep end users in the loop so that they can be part of the solution. The ideal solution would cover all seven of these bases.
Proper SaaS security should be an enablement tool that helps security teams fix the problems that are found without taking up too much of their precious time and without piling up. At the same time, it also needs to let users throughout the organization keep using SaaS securely to get their work done.
About the author: A retired Colonel from the prestigious 8200 Unit, Galit Lubetzky Sharon has vast, hands-on experience designing, developing and deploying some of the Israeli Defense Forces (IDF) most vital defensive and offensive cyber platforms as well as leading large development teams. Galit was an integral part of developing the IDF’s first cyber capabilities and continued improving and enhancing these capabilities throughout her military career. She is the recipient of numerous accolades including the prestigious Israeli Defense Award. Galit Co-Founded Wing Security and is Chief Technology Officer, leading the company’s cutting-edge cyber security technology.