Cloud migrations and SaaS adoption have skyrocketed during the pandemic. In fact, a recent survey shows that the pandemic caused 40% of businesses to accelerate their move to the cloud. Companies rely on the flexibility of these platforms and tools to increase productivity regardless of employee location.
Organizations also often connect these applications to critical business processes to transfer valuable customer data, personally identifiable information (PII), financial and other sensitive information to help processes run smoothly. But as more business processes span from on-premises to the cloud, companies are starting to lose visibility into the risk of their interconnected application ecosystem.
The problem is that, in an interconnected environment, one misconfigured system or security vulnerability can put the entire enterprise at risk, and it is becoming increasingly difficult for IT, cybersecurity, development, and audit teams to understand which applications and services support critical business processes, how they interconnect with each other, and how changes impact compliance, security, and availability.
With remote workforces becoming a long-term reality and organizations embracing the power of working from anywhere, now is the time to ask three key questions to ensure every organization understands what’s at stake and how to mitigate risk.
How can misconfigurations create risk?
Digital transformation processes, combined with a steady increase in the consumption of cloud services and APIs, have made it incredibly easy to integrate and connect two or more different systems from different vendors. But whether you’re looking to interconnect Oracle with SuccessFactors or SAP with Salesforce, APIs can introduce significant risk.
This is because many business applications reflect complex workflows and processes built on complex underlying technology. So, while integrations can be easy, companies are now working with two highly configurable applications fused together. And with greater power comes greater risk. The ability to customize these applications can introduce all sorts of different vulnerabilities that could impact areas such as integrations, authentication, auditing, encryption, user authorization, etc.
In order to identify these risks, businesses need to first develop a deeper understanding of the underlying technology. The second step is to create an asset map including cloud and on-premise assets, to understand which applications are connected to what and what data is being transferred.
Finally, businesses need to rely on security and compliance partners to analyze each application and the data it supports to better understand gaps in protection and compliance. For instance, looking at GDPR for Human Resource data, SOX for financial information, or PCI for credit card information becomes an excellent driver to provide some level of control.
At the end of the day, one of these seemingly minor inconsistencies could jeopardize the entire application and integrity of the data – which still falls on the customer to protect regardless of deployment – so gaining control of configurations is imperative.
How can we stay on top of user privileges?
Authorization and access control are the basic building blocks of risk management and internal controls for a business. Who has access to what and Segregation of Duties (SoD) are vital processes to ensure critical functions are dispersed among more than one person or department to mitigate the risk of fraud and error.
However, as businesses shift applications from on-premises to cloud environments and as departments purchase SaaS applications outside of IT’s purview, maintaining an accurate view of privileges becomes difficult. Moreover, bad actors’ ability to impersonate people, which is even more prevalent in the cloud, makes it extremely critical to have tight control of user authorizations across all business applications. From an internal perspective, a lapse in privileges can give an employee or a bad actor the ability to move from application to application with ease.
As some processes span across multiple applications, the ability to correlate users is vital for effective control of authorizations and SoD. To further combat this complexity level, security teams should also consider looking for technology that provides a broad view of user activity between applications with the ability to flag anomalous behavior or raise alarms when privileges have been escalated without permission.
What’s the key to ensuring continuous compliance?
Gartner is projecting a significant jump in data privacy regulations – from 10% of the world covered in 2020 to 65% in 2023. This can be challenging for businesses running a web of interconnected on-premises, cloud-based, and SaaS applications, many of which are heavily regulated to ensure PII and financial data are protected.
Traditionally, audit teams responsible for ensuring regulatory standards perform manual checks to ensure compliance. Today, different business lines such as HR often use SaaS applications like SuccessFactors and Workday, complicating manual processes as audit teams struggle to find one source of truth as each application is often connected. These manual audits can take countless hours between screenshots and Excel spreadsheets, cost hundreds of thousands of dollars, and only show the results of a “point-in-time” check.
Automation is the key to simplifying and streamlining these cumbersome tasks. A good solution can intelligently analyze connections between applications to get the full sense of where compliance errors originate and how to fix them and push organizations to reach a level of “continuous compliance,” allowing them to streamline the most critical controls across business applications to save time and money, while capturing the evidence of different compliance regulations auditors’ mandate.
SaaS and cloud applications have become key factors in digital transformation and enable employees to become more efficient regardless of their working location. However, these same applications open up critical compliance and security risks that could put a company in the headlines and face significant fines if not addressed correctly. As companies continue to rush to SaaS, they must ask themselves these key questions to help mitigate risk, bolster security, and remain continuously compliant.