Traditional cybersecurity methodologies have adapted to the accelerated use of cloud service models (IaaS, PaaS, DaaS, SaaS), each with its own specific risk levels, blind spots and discovery, assessment, and remediation challenges. The dramatic changes that the modern workplace has undergone, including the shift to remote work which distanced users from their organizational admins, infrastructure and internal networks, have caused SaaS to significantly eclipse IaaS and PaaS as the preferred cloud service model for the modern business.
According to Gartner, SaaS has become the largest public cloud market segment, as organizations report the use of more than 288 SaaS applications at large enterprises. This exponential growth in SaaS adoption has overwhelming business benefits, but security mechanisms for governing this sprawl – and securing the assets that sprawl with it – are woefully inadequate. Security has failed to keep up with business needs and demands for efficiency at scale, generating frustration within security teams and inducing a concerning expansion of their organizational attack surface.
The global cybersecurity community understands the traditional network security paradigm has held the industry back, but strides are being made to catch up. However, when attempting to implement cybersecurity best practices such as the NIST Cybersecurity Framework and the SaaS Governance Best Practices from the Cloud Security Alliance (CSA), their significant insights and practical suggestions are simply not applicable for the size and scope of SaaS today. We have to think of SaaS security as unique, and its security risks break traditional security frameworks.
CSA’s SaaS Governance Best Practices are an excellent tool for security professionals to assess and improve their SaaS security posture, but its main focus areas - discovery, evaluation, management and security are difficult to undertake using existing solutions at the speed of the current and future SaaS adoption. These critical elements of a sound SaaS security posture at scale require automation and control of identity, endpoints, or networks, as required for governance and enforcement. Here are the basics of CSA’s best practices:
- Discovery.
Make mapping SaaS usage across the organization the core element of a SaaS security posture. As part of our research at Grip, we found that security teams are alarmingly unaware of the scope and breadth of SaaS use by company employees, as their number multiplies. The sheer volume of SaaS apps is the first challenge CISOs face when trying to generate a comprehensive SaaS inventory, and existing methodologies for doing so are extremely limited.
CISOs today aim to become assets to the organization as a whole, using security to empower business and finding innovative solutions to ensure business continuity. Existing SaaS discovery products, however, harm their ability to do so by placing security oversight of all potential SaaS under the purview of IT and security teams before use. This has clearly become unsustainable and short-sighted, as security teams have little time or resources to do so centrally and effectively. Another option for discovery is the analysis and evaluation of logs from firewalls and CASBs. Unfortunately, legacy offerings such as CASBs have significant blindspots and were never designed for a model where each employee decides what SaaS app to use.
SaaS security services should offer organizations comprehensive information derived from the heart of their SaaS use, on their data’s movement throughout SaaS integrations, on location, oversight, and use of this data, and the existence of shadow SaaS that could cause potential harm.
- Evaluation.
Security teams must stay involved in the evaluation of which SaaS applications are necessary for the organization and required by users to fuel business growth prior to procurement. If business needs are considered without security in mind, this may lead to an arduous security “catch-up” process and inevitable frustration, as the employees will see security teams as obstructors of efficiency should they block the adoption of certain applications.
Evaluation and adoption processes entail extensive market research and demand for proofs of concept prior to procurement, but must also factor in additional elements which are crucial for CISOs to sign off on the application. These include parameters relating to the application’s data security, governance, identity management, logging, supply chain, threat management and endpoint management. Overall, CISOs should view SaaS onboarding as an external risk, and require vendors to show dedicated security measures to manage and mitigate this risk. The sheer velocity and scale of SaaS adoption has become a great challenge, as security teams struggle to ensure that the security evaluation processes keep up with organizational needs and timelines.
- Management.
The SaaS adoption process does not culminate in onboarding and use. Management of SaaS consumption from deployment to growth has become an impossible task – while its importance grows with every app adopted. SaaS management and risk assessment begin with vetting vendors and ensuring compliance with both internal and international standards and regulations and continue throughout the application lifecycle within the organization. While SaaS management should occur organically, today’s security teams employ time-consuming and resource-intensive processes that only focus on those apps most regularly used by company employees, without an end-to-end, comprehensive framework. SaaS management should encompass the entirety of an organization’s SaaS portfolio – especially those applications that are adopted independently, without security oversight, and those that are unseen and unused but still hold overarching access permissions.
The CSA’s SaaS Governance Best Practices offers a comprehensive framework that security teams can use as the foundation of a healthy SaaS security program. That said, the challenge of building such a program using existing security tools, while SaaS uses scales exponentially, makes implementation of the framework difficult. Organizations must continue benefitting from SaaS efficiency, agility and ease of use, but must also scale their security methods accordingly – using automation for discovery, prioritization, security, and orchestration. These elements are severely lacking in security solutions.
CISOs are on the front lines of SaaS risk management and mitigation efforts, and hold the ultimate responsibility for organizational data, customer trust and regulatory enforcement. They deserve tools that let them easily determine acceptable risk levels and implement security and privacy requirements while ensuring regulatory compliance and adherence to internal controls. Empowering CISOs in this manner will help organizations make the best – and safest – use of their SaaS portfolio.
Lior Yaari, co-founder and CEO, Grip Security