How SaaS Security Became One Of The Most Overlooked Threats In The Enterprise

Software as a service (SaaS) applications have undergone an evolution in the past 10 years. What used to be simple web applications have quickly evolved into complex platforms that are far more powerful and customizable than even five years ago. Many of the largest SaaS platforms like Microsoft 365, Salesforce, Workday, HubSpot and Zendesk now support a wide array of both internal and external users and host robust ecosystems with thousands of easily integrated third-party applications.

Within most large businesses, a matrix of hundreds of unique SaaS applications now run critical day-to-day operations and house sensitive business data in the cloud. In fact, Gartner, Inc. estimates that 95% of new enterprise application purchases are cloud-based.

Even though SaaS has become a large and essential part of the IT stack, SaaS security continues to lag far behind security for other types of technology. Why? The answer stems from the way SaaS originally made its way into organizations 10 to 20 years ago.

In the early days of SaaS, from about 2000 to 2010, newly established SaaS vendors frequently targeted specific business units like sales, marketing and HR. These teams may have been looking for a faster and more automated way to do specific parts of their jobs and were often more willing to embrace new — and sometimes risky — software than the IT and security teams that were managing the rest of the enterprise tech stack. The cloud-based nature of SaaS, along with the relatively low cost to implement, meant that it was easy for business units to completely bypass security and IT teams. This led to a wild phase in enterprise IT where these types of “rogue” technologies were rampant throughout most businesses with no official oversight.

Today, many things have changed. SaaS vendors have become some of the most respected companies in the world, employing many of the world’s best security teams. The typical SaaS footprint has grown from a few licenses in a sales or marketing organization to most employees now using solutions like Zoom, Slack, Microsoft 365 and Workday. Organizations in even the most regulated industries like banking, healthcare and government now trust SaaS to house their most sensitive data.

However, when it comes to security, much of the legacy of SaaS’s early days persists:

• The evaluation and purchase decisions for SaaS apps often still lie within the business units rather than with IT or the CIO, as with other types of technology.

• Many security teams, already over-capacity and understaffed, have never found the time to add SaaS to their scope.

• Technology leaders continue to lean on the myth that SaaS vendors are 100% responsible for securing their data rather than applying the shared responsibility model — which is common throughout technology — to their SaaS environments.

• In most organizations, no one is ultimately responsible for SaaS security.

I don’t believe that SaaS is inherently risky. However, the rapid adoption of SaaS technologies combined with the lag in SaaS security investment has created a powder keg of vulnerabilities. Organizations of all sizes need to prioritize SaaS security as they would for any other type of technology that houses sensitive data. Here’s how IT leaders and CISOs can get started if they haven’t already:

• Assign ownership of SaaS security to a team and specific individuals within the organization.

• Understand who has access to what data. This doesn’t just mean employees within your organization but also partners, customers, contractors, connected third-party apps, APIs and IoT devices.

• When deciding where to start, focus on the technologies that house the most sensitive data and have the largest number of regular users. Also, pay close attention to the applications that have a large number of external users and connected apps, as these permissions are frequently misconfigured.

• Embrace automated tools. There is no standardization across SaaS apps when it comes to security architecture, and each application has dozens — if not hundreds — of security configurations that are at risk of changing with every new vendor release. It’s unfeasible to expect small security teams to adequately manage the constantly changing permissions and configurations across their SaaS environment with only manual processes.

Organizations are already enjoying the benefits of SaaS, including fast implementation, low upfront costs and scalable functionality for distributed teams. However, with the power, customization and flexibility that SaaS provides comes the responsibility for organizations to securely manage configurations, usage and data access within their SaaS environments.

 

Courtesy- https://www.forbes.com/sites/forbestechcouncil/2022/01/19/how-saas-security-became-one-of-the-most-overlooked-threats-in-the-enterprise/?sh=74416b58ae38

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.