Skip to main content

SaaS security: Out of sight, not out of mind

(Image credit: Image Credit: Wright Studio / Shutterstock)

As SaaS adoption is on the rise, businesses realize they lack the resources needed to properly configure each app. Whether it’s Office 365, Salesforce, Slack, SuccessFactors, or Zoom, all SaaS apps include a host of security features designed to protect the business and its data. While initially, the job of ensuring these apps’s security settings are properly configured goes to the security team, companies quickly learn this model is not sustainable. Here’s why.  

The SaaS environment

Today’s SaaS app environments are constantly changing. There are global setting updates, and many changes on the user level as employees in an enterprise will come and go. In both instances, the permissions and configurations must be reset, changed, or updated. These actions are vital to ensuring each app adheres to the latest security standards (NIST, MITRE, etc.). But that’s not all, they must also be in line with best practices and enforced across the company with no exceptions.

Keep in mind these apps are like snowflakes. No two are the same when it comes to their security configurations for compliance. This includes details on privileged access, which files can be shared, whether multi-factor authentication or video recording is enabled, and more.  To ensure the apps adhere to the company policies, security teams must review and learn the specific settings and configurations for each and every application. This learning takes time since security teams are not day-to-day app users and lack familiarity with the settings. 

Now add up the configurations, user roles, and privileges and the onboarding and offboarding that happens with each app. Next, multiply that by the number of apps—while some businesses have a small number of apps many others have deployed hundreds. Whatever the figure is for your business, each app has hundreds of settings and is used by thousands of employees (or more). What’s left is an unrealistic burden that’s being placed squarely on the shoulders of the security team that doesn’t have time to do what’s required. This point is reflected in Adaptive Shield’s 2021 SaaS Security Survey Report, where 12 percent of companies said they check for SaaS misconfigurations weekly.

Out of sight, out of mind?

As mentioned above, security teams are not deeply familiar with these apps since the SaaS app-admin often sits outside their department. Furthermore, due to the nature of the ease of purchase, the security teams are typically involved only after the app is purchased.  As a result, the burden of securing these apps falls to the departments that procured them and uses them daily. These are employees, people who work in marketing, sales, HR and other departments. These professionals are highly skilled in their respective roles but they share one commonality—they are untrained and not as focused on security aspects. This is in line with findings from our 2021 SaaS Security Survey Report where 52 percent of businesses said they delegate responsibility over app security to the SaaS owner as Security teams have no ability to manage this task. 

Teams store vast amounts of critical data in these SaaS apps. This includes everything from private employee and customer details to highly confidential business projects, financials and more. Because marketing or sales (for example) brought these apps in, the owners lack the security training and time needed to maintain configuration and posture. Over time, every app becomes increasingly vulnerable while security teams remain in the dark with no ability to determine the business’s exposure or risk.

This risk is further compounded when everyday employees control who has access to which app and what privileges are given to each user. This model leads to errors that expose the company. 

One example of an unintentional exposure begins with a simple email. When preparing the email, a recipient’s address or that of an entire group gets auto-filled or mistyped. What follows is the email gets sent to the wrong person or group of people. This could easily include an external user gaining access to content, thereby exposing the company. Another simple error begins when a user changes a folder from “private” to “public.” That one likely unintentional click suddenly allows anyone to access the data.

The criminal factor

If these factors are not challenging enough, let’s not forget the threats that are coming from cybercriminals. These criminals are not only getting more intelligent and persistent, they are using new, more sophisticated techniques. When considering the scenarios above, SaaS apps are an easy target. 

What’s encouraging is that awareness around this issue is growing—our research found that 85 percent of companies consider SaaS misconfigurations one of the top 3 threats, following only by account hijacking and data leakage. But awareness alone is not enough to protect your company.

I am not suggesting businesses refrain from using SaaS. Quite the opposite in fact. SaaS apps are more vital for businesses today than ever, but a new approach is required. According to Gartner, the answer is SaaS Security Posture Management (SSPM), which provides a new approach to protecting data stored in SaaS applications. In fact, this past September, SSPM was named one of the “4 Must-Have Technologies That Made the Gartner Hype Cycle for Cloud Security, 2021

Rather than stretching an already overtaxed security team or gambling on your day-to-day app users, SSPM tools monitor SaaS security settings to ensure that each is correctly configured. For those that are not, these tools can automatically flag misconfigurations. 

Expecting your security teams to stay on top of SaaS Security misconfigurations without a proper SSPM solution is unrealistic and in 2022, as adoption of these solutions continues to grow, it also becomes increasingly more reckless.  Businesses today should not have to choose between SaaS and security. While there are many cloud security options available to help, SSPM is the only option that allows companies to experience the full benefits of their SaaS investments by closing the door to possible exposure.

Maor Bin

A former cybersecurity intelligence officer in the IDF, Maor has 16+ years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint.