Four steps SMBs can take to close SaaS security gaps

Despite economic volatility and tighter budgets, adoption of software as a service (SaaS) continues to increase. Gartner forecasts a 16.8% growth for SaaS in 2023 as companies – including SMBs – add new SaaS platforms to their IT stack.

This echoes what we saw over the last half of 2022: SMBs are embracing SaaS wholeheartedly. In addition to the horizontal applications for business management, office tools, sales, collaboration, HR, marketing and the like, we are seeing SMBs adopting vertical apps across a wide range of industries.

The result is a daunting security challenge for companies operating with a lean IT team and even leaner IT security staffing. In our experience, through years in the industry, smaller organizations can use an average of 47 SaaS applications. For larger companies, the numbers go into triple digits. Each of those apps represents an attack surface that can put an SMB and sensitive data like personally identifiable information (PII), personal health information (PHI) and credit card numbers at risk.

Organizations need to apply the same rigorous cybersecurity controls, compliance, monitoring, threat detection and response, and threat hunting used for on-premises resources to cloud infrastructure. Still, there is often uncertainty regarding cloud security roles and responsibilities. Too often we find SMBs think security is all in the hands of the SaaS provider, when in fact the SaaS customer is always responsible for their data and their users.

Here are four steps an SMB can take to close the security gaps in using SaaS applications:

1. Understand the shared responsibility model for cloud security for your SaaS apps

Each of the major cloud service providers (CSPs) has its own version of the shared responsibility model for cloud security that defines where the CSP’s responsibility ends and yours begins. The model will vary somewhat between CSPs and depends on which type of cloud service is being used: infrastructure as a service (IaaS), platform as a service (PaaS) or SaaS.

For all three models, the CSP is always responsible for the security of their data center facilities, the host hardware and software, and networking used to run the cloud service. For SaaS vendors, responsibility continues up the stack and depends on the CSP. In some models, the CSP is solely responsible for the security of the application layer, while the customer is fully responsible for data and user access and identity. In other vendor models, CSPs and customers share responsibility for application-level controls, identity and access management (IAM) and endpoint protection. While it’s a shared responsibility, the end customer ultimately retains full responsibility for protecting data and managing the risk.

Due diligence in choosing SaaS products should include understanding who is responsible for what and attending to your responsibilities. For example, if your company subscribes to Microsoft 365, setting application configurations, enabling multi-factor authentication (MFA), creating and removing user accounts, and assigning role-based access are all on you. Some SaaS providers include encryption of data in transit and at rest, while others assign that responsibility to you. The permutations are complex when you have dozens of SaaS relationships.

2. Monitor SaaS application configurations and integrations

Like all software products, SaaS applications come with default configurations — and these are different across all apps in your SaaS stack. Accepting these defaults or changing them to meet your security requirements is your responsibility. Also up to you is ensuring the security of integrations between a SaaS app and other apps, like integrating Slack with Google. This is complicated by the fact that your end users set configurations and enable integrations without IT security’s knowledge. It’s important to review these configurations on a regular basis because of end user behavior and since application security can drift with product updates.

3. Understand the shared responsibility model between you and your managed services provider

Many SMBs use managed service providers to supplement scarce internal resources for IT management, to help with IT security operations, or both. To close gaps in SaaS security, ensure that you and your service provider understand who will be responsible for what, including incident response.

4. Integrate all SaaS security telemetry with your security operations center monitoring tools and security information and event management platform

This step is critically important. Your security operations center (SOC) and security information and event management platform (SIEM) should be receiving the telemetry streams from all your SaaS apps as well as firewalls, endpoints and on-premises resources. Without this integration, you can be blind to events that can signal attacks on your cloud data. This slows response, giving cyber criminals a foothold into your infrastructure. If you are using managed services for your SOC or SIEM platform, make sure the service provider supports the apps you want to integrate as part of your SaaS selection process.

Key takeaways

Always remember the general rule that CSPs and SaaS providers are responsible for security of the cloud, while end customers are responsible for security in the cloud.

SaaS applications are essential accelerators for SMBs even though they broaden attack surfaces and can create security blind spots. SMBs should leverage the cloud security capabilities and expertise of CSPs, SaaS companies and managed services providers to fully realize the transformative advantages of SaaS applications.