SaaS security in 2021
The migration toward subscription-based services via the SaaS business model isn’t new this year — it’s part of a larger shift away from on-premises datacenters, applications, etc., that has been underway for years. The pandemic accelerated the shift, boosting SaaS subscriptions as companies looked for virtual collaboration and meeting tools.
What is new on a larger scale is the way employees interact with business applications, and that has implications for IT departments worldwide. As a result, companies have to make sure the SaaS vendors keep their company’s data secure, and that their employees use of these SaaS solutions is secure also when end users are not connected to the office network.
In 2021, IT professionals will contend with security risks that have been increased by the expanded use of multiple SaaS vendors, proliferating endpoints and advances in hacking techniques. They’ll respond by beefing up security in three important ways:
IT will up-level security architecture
New ways of interacting with apps will require new thinking about security architecture in the coming year. IP whitelisting for SaaS access only works when employees log into the network before accessing a cloud solution, but there is an increased trend to have direct connections to cloud solutions.
IT will respond with cloud native solutions to reassert control over crucial functions like patch management, configuration management and endpoint protection for devices that aren’t connected to the company network. They’ll also look for BYOD security strategies and take a more modern approach to security architecture that includes cloud-based security and access management protections, such as multifactor authentication and federation with SaaS applications.
Additional security architecture measures in 2021 may include reviews of SIEM log integration and partnership with cloud access security brokers. It will be critical for IT to strike a balance between security policy enforcement and business requirements via the security architecture.
Multidisciplinary teams will improve governance in the SaaS era
It’s clear to IT leaders that unvetted SaaS solutions (shadow IT) pose a variety of risks, including exposure of sensitive information, data ownership issues and regulatory compliance problems. The question is who is best suited to mitigate those risks, and in 2021, more companies will find that it takes a multidisciplinary strategy.
A proactive governance approach requires a defined process involving a multidisciplinary team that ensures visibility and directly addresses risks to keep exposure within acceptable levels. Companies have to classify data in terms of integrity, confidentiality and availability to find the ideal balance between security and costs and determine acceptable risk levels.
Cloud providers share responsibility to keep data secure along with the company, so it’s important to define exactly who is responsible for what. Companies typically manage user access, endpoint devices and data while SaaS vendors oversee apps, virtual machines, databases, etc.
To fulfill their governance objectives, IT leaders will look for SaaS providers that offer multiple configuration options, including password settings/identity federations and authorization models, as well as availability plans to meet goals related to recovery time and recovery points.
Companies will take a macro approach to evaluating SaaS vendors
Comparing vendor security measures against their company’s defined requirements on every point is a tall order, given the volume of cloud solutions employees are adopting. In the coming year, companies will be more likely to evaluate and reevaluate vendors from a higher level by looking at factors like vendor security certifications and assurance reports (ISO 27001, SOC1/SOC2, etc.).
IT leaders will also rely on questionnaires to document security practices, using best practices from organizations like the Cloud Security Alliance to define requirements. Testing will also play a role, either via access to third-party penetration tests shared by the vendor or the vendor’s willingness to accommodate customers’ requests to perform their own tests.
Companies should realize that many SaaS providers will use sub providers, such as AWS, Micosoft Azure or Google Cloud, to host their services. These will bring many benefits as the SaaS provider can leverage the build in security capabilities of those providers. At the same time SaaS users should evaluate that the SaaS vendor does its part to keep data secure as it interacts with the underlying cloud provider.
Additionally, IT will demand that vendors upgrade customer capabilities, including the ability to identify federations or password settings, define user roles, segregate duties, etc. IT will also require the ability to conduct system-to-system integrations in a secure manner when necessary and make sure data location meets any applicable regulatory requirements, such as GDPR compliance.
Use of SaaS solutions surged during the pandemic, and it’s clear that trend will continue into 2021. It’s been a challenge for IT teams to protect data while rapidly expanding access to the devices, solutions and information that enabled business continuity during a once-in-a-century global health emergency. IT leaders and their teams at millions of companies have done heroic work over the past several months.
As 2021 gets underway, IT will be looking to consolidate gains and ensure safe operations. The most forward-thinking IT professionals will meet new requirements by upgrading security architecture, taking a more expansive approach to governance and evaluating vendors more efficiently. These steps will allow their companies to enjoy the benefits of a SaaS environment while mitigating the risks more effectively.