Getting to grips with SaaS security

The SaaS market is expanding at a rapid rate. In August last year, Gartner forecast that worldwide spending on SaaS would rise from $120.6 billion in 2020 to $170.9 billion this year. Gartner also states that SaaS continues to be the main spending item across all public cloud services. This means that it is imperative that organizations get a deep understanding of the SaaS apps they rely on, how they interconnect, and how they are configured to deter cybersecurity attacks.

Configuration settings are an important but often overlooked element in the security landscape, creating gaps and increasing risk and nowhere more so than in SaaS applications. While SaaS management can help to alleviate this challenge, it is important for security teams to make a case for using a dedicated solution by first understanding the key challenges.

Taking control of sprawl

SaaS sprawl grows with the number of applications an organization uses in its SaaS stack, and as information in the different applications is distributed, it becomes less and less centralized, resulting in data sprawl.

Keeping data secure means first knowing where it is. With sprawl it is difficult to track not only its location, but how the business is processing it, who has access to it, and how sensitive it is. This is exacerbated if organizations are using open APIs, where SaaS solutions are expected to work in collaboration with each other to enable improved operational efficiency.

Lurking in the shadows

The ubiquity of SaaS applications means that they encourage shadow SaaS. Neither new nor unusual, this activity allows employees to take advantage of available SaaS solutions that meet their own specific needs in a way they feel is not being met by the organization.

For security teams, however, shadow SaaS makes it impossible to track whether the apps being used are safe. The more that unknown SaaS apps are downloaded, the more they bypass security measures, leading to the creation of a broader attack surface; it is not safe to assume that the SaaS apps have security in place to protect sensitive data. Shadow SaaS does not allow for compliance with regulations that govern how organizations can use, store or transfer personal data. Failure to comply can lead to heavy fines.

Managing settings

As the SaaS market has grown to meet with customer demands, apps have become not just more abundant but also more customizable, and this too is causing challenges for security teams. Where once the number of apps was manageable, organizations may now be using thousands of SaaS applications, necessitating thousands of settings to minimize the risk of a breach. If these are misconfigured, apps can become more accessible outside the organization and a target for cyber criminals. Many of the settings are made up of identity and access controls, but to add to the settings workload for security managers, employees can also have admin rights or excessive privileges, which extends the risk.

Emerging solutions for SaaS security challenges

Technologies are now being introduced to help security teams tackle these problems.

SaaS security posture management (SSPM) platforms work by delivering automated, continuous monitoring of SaaS apps, which allows potentially unsafe configurations to be minimized, and improved management of security policies and compliance.

The Axonius Value Calculator found that if no SSPM platform is being used by an organization, security analysts can spend up to 70 hours a month reviewing configurations across all SaaS apps. The disadvantage of SSPM is that it fails to monitor the endpoints, or devices, that employees are using to access SaaS apps.

Organizations are also implementing SaaS management platforms (SMP) to improve the everyday running of SaaS operations. SMP platforms enhance the employee onboarding and offboarding experience and can track application usage while also giving a degree of visibility into SaaS licensing. What they lack is solid information about SaaS settings, data flows, misconfigurations, and user access.

Enter comprehensive SaaS management

SaaS applications are here to stay, and organizations need solutions that allow them to gain value from their SaaS operations. The most comprehensive route to success is through SaaS management that focuses on both business value and risk in one place and can provide businesses with a centralized view into their entire SaaS landscape.

What does this look like? There are three key components:

Breadth: The solution must be able to discover known and unknown SaaS applications and deliver a complete overview into all data types and interconnectivity flows.

Depth: Uncovering misconfigurations in SaaS settings and mitigating the risks they present will guard against breaches.

Context: A dedicated SaaS management and security platform will provide in-depth data insights across all SaaS apps, cloud services and the endpoints that employees are using whether they are in the office or working remotely.

We estimate that by implementing a dedicated SaaS security solution, security departments will eliminate approximately 60 hours a month in analyst time, equating to over 47,000€ annually. What is more, it ensures the company can take full advantage of the considerable SaaS market adoption without compromising on security risks.