SaaS security: How to avoid “death by 1000 apps”

SaaS applications have become synonymous with modern business environments, and CISOs and security teams struggle to find a happy medium between ensuring the security of their SaaS portfolio and empowering the organization’s streamlined business workflows and productivity.

In recent conversations with leading CISOs in the global market, including Frank Kim, fellow and former CSO at the SANS Institute; Sounil Yu, CSO at JupiterOne; Ray Espinoza, VP Cloud Security at Medallia; Leon Ravenna, CISO at KAR Global; Alex Manea, CISO at Georgian and Tim Fitzgerald, CISO at Arm, we took a deep dive into the CISO perspective on SaaS challenges, security pitfalls, actionable tips for successful SaaS management and to avoid the dreaded “death by 1000 apps.”

When SaaS multiplies

The never-ending cat-and-mouse game between security teams and SaaS adoption is at once frustrating and concerning. When contending with increasing scale, CISOs are often left in the dark, unable to locate, manage and account for the sprawl. As Alex Manea states, “The reality is that every single one of these SaaS apps might be fairly secure and cause a relatively minimal amount of risk, but when you start looking at dozens or even hundreds of apps across the environment, you start getting an entirely new scope of risk.”

Manea describes the risk as “death by 1000 cuts, or death by 1000 apps, as the case may be,” and this is amplified by the speed at which these apps are adopted. “The reality is, the CISO can’t really keep up with the variety and value that SaaS applications bring,” says Sounil Yu. “These external companies provide value at a speed that meets the need of business. This is not a problem that can be solved, but a predicament we have to manage.”

Managing this sprawl with manual processes is futile, as CISOs are left guessing which apps are potentially dangerous and which are secured. As Tim Fitzgerald says, “Even if we have a handle on it one day, literally the next day there are 15 more apps that weren’t there the day before.”

Multiply the growing number of apps by the number of employees using them, and then by the amount of customer and organizational data they hold, and this risk grows dramatically. As data proliferates out of the organization and into SaaS apps, CISOs have limited to no idea of where it is, where it’s going, and who has it.

“The thing that scares me the most is dormant or zombie SaaS,” says Leon Ravenna. “Employees adopted an app because it provided them with value at the time, and after a month they moved on, but the app remains in the organization with the same privileges. Only once the app gets breached do security teams scramble to understand and evaluate what organizational data was stored in it.”

Approving/prohibiting apps

To preempt such security pitfalls, I was interested to hear what parameters enterprises should consider when approving an application or prohibiting its use.

A common practice is the use of vendor or risk assessment protocols that seek to establish a risk baseline as a guidepost for decision making. This usually comes in the form of a robust questionnaire, which Frank Kim calls, “a long, cumbersome and ridiculous set of questions.”

Inevitably, SaaS apps must be viewed as external risks requiring fortified protection. When considering which apps to approve, CISOs should treat them as they do internal security, using a holistic approach to bridge gaps and ensure that apps are evaluated by all relevant parameters. “CISOs need to look at the application’s data security, governance, identity management, logging, supply chain, threat management and endpoint management,” says Alex Manea. “SaaS apps that we deploy across the organization must support SSO and MFA. If they don’t, then these are nonstarters for us.”

On top of these parameters, Tim Fitzgerald suggests that enterprise CISOs consider two other, more overarching criteria before providing apps with privileges and access. “These companies need to be able to show some proof of their security mechanisms. It’s not enough to just be able to say what policies you have in place, but above all, we need to make sure that their business goals and the risk tolerance they might have as a company approximately matches our own.”

Alex Manea offers practical tips on assessing these factors, as well as establishing the appropriate use cases and their applicability to the organization. “We have different tiers of apps depending on what the internal use case is: whether they’re being deployed across the organization, whether they need access to internal confidential data, whether they need access to our finance or HR systems.” It is important to note, however, that these use cases can change over time. An application can start out with simple permissions and may not require access to sensitive data, so it won’t flag security teams. If a shift occurs, the SaaS provider could have massively expanded his reach in the organization without the CISO’s awareness.

As organizations scale, CISOs are presented with a new challenge – revoking privileges and offboarding applications when employees leave the workplace. Sounil Yu categorically states that “failing to offboard users is the strongest indication of a poorly-performing security function.” Few scalable controls are available to ensure that offboarding takes place and that orphaned accounts are avoided, and CISOs are left with fallible and manual processes. As Tim Fitzgerald describes, “When we seek to offboard services that we either don’t control or are not aware of, it is a very haphazard process. We rely on the personal responsibility of employees leaving the company, and this is hardly foolproof.”

Tips for CISOs on avoiding SaaS security gaps

The CISOs I spoke with described these pitfalls in organizational SaaS security programs as gaps that, in hindsight, security teams should have avoided. In sharing their own experiences, they provide security professionals with invaluable and actionable insights.

“GDPR was a real catalyst for us to locate and identify our apps and data,” says Ray Espinoza. “One of the most critical lessons we learned was to know where your data is flowing and what your SaaS apps are integrating with.” Once security teams have a general understanding of what their SaaS portfolio looks like, Sounil Yu suggests that security controls for onboarding new apps should be applied in direct context to the size and stage of the organization. “The right timing for switching from a free-for-all policy to a more controlled approach is an important decision. Placing tight controls over SaaS security may be a hindrance to the growth of a young startup when core teams are built and applications are onboarded with every new team. As the company stabilizes and the CISO has a good grasp of the SaaS portfolio, only then should they begin tightening restrictions.”

Keeping up with the scale and magnitude of business needs is a key part of maintaining the CISO’s role as a team player and an enabler of innovation. Tim Fitzgerald advises security teams to focus on being partners to business instead of obstructors. “Fighting the tide by trying to control what employees can use is futile. It’s a fight CISOs will inevitably lose and will make security teams seem anti-business and anti-innovation in the process. CISOs need strong, agile policies that build trust and make the verification process faster and easier, enabling business to thrive.”

These processes, coupled with cutting-edge security tools, should help CISOs ensure that access controls and data governance processes are in place, no matter where employees are or what apps they use. CISOs shouldn’t have to police the organization but use tools that ensure that they are automatically involved and are ahead of the game. Utilizing cumbersome point solutions that can discover only a fraction of organizational applications or monitor connections that only originate from the corporate network, will only go so far in empowering the CISO and securing the organization. Cost-effective and comprehensive SaaS coverage and governance with zero-touch should be critical components of CISOs’ grip on their organizational SaaS sprawl.