Organizations are increasingly moving their data to SaaS platforms. But while companies are racing to adopt SaaS, many haven’t yet put the tools and processes in place to protect their SaaS data, leaving it vulnerable in the cloud.
In both our roundtable sessions and Innovation Advisory Councils, we’ve heard the complications and frustrations that leadership faces when attempting to manage their security posture and risk associated with SaaS applications. We turned to our 2020 Innovator of the Year Brendan O’Connor, the CEO and Co-founder of AppOmni – a leader in SaaS security – to discuss the most common challenges he’s seeing as well as the best practices companies should be implementing.
Organizations are increasingly moving their data to SaaS platforms. But while companies are racing to adopt SaaS, many haven’t yet put the tools and processes in place to protect their SaaS data, leaving it vulnerable in the cloud. AppOmni’s research has revealed that 95 percent of companies have external SaaS users – that is, non-employee users like partners, customers, and contractors – who are over-provisioned and have access to sensitive data intended only for internal access. An even more worrisome statistic is that 55 percent of companies we analyzed have sensitive SaaS data that has inadvertently been exposed to the anonymous internet with no username or password required for access.
Through our work analyzing hundreds of businesses, we’ve discovered several common challenges organizations face when it comes to SaaS security. Here are a few of the key challenges we’re seeing along with best practices for companies who want to implement or improve a successful SaaS security program.
No one could have predicted the COVID pandemic or the nearly overnight shift many organizations experienced from a primarily in-office culture to a fully distributed workforce. This shift accelerated the move to cloud and SaaS that was already taking place. Gartner now estimates that 95 percent of new enterprise applications purchased are cloud-based. But in the race to adopt cloud and SaaS solutions for these newly remote workers, many companies haven’t invested the time and resources to adequately protect the sensitive data that’s now in the cloud.
SaaS solutions are rapidly evolving to play an ever-larger role in the enterprise. What were relatively simple applications just a few years ago have quickly morphed into complex platforms – some might even say a new breed of business operating system. SaaS environments now house massive amounts of business-critical data and accommodate a wide variety of users with varying levels of permissions. Users may now include internal employees across all areas of the business, contractors, brokers, partners, customers, IoT devices, and a host of API integrations and connected third-party apps.
But while enterprises have expanded the scope and footprint of their SaaS environments, most haven’t updated their security tools and processes to appropriately manage the increased level of complexity and highly dynamic nature of SaaS.
CASBs are one of the most common solutions used to secure SaaS. However, many of these tools focus only on users accessing SaaS through the corporate network. This leaves many other access points – like APIs, 3rd party application connections, and external user portals – invisible to security teams and therefore unprotected.
We’ve seen other organizations that rely exclusively on periodic pentests to evaluate the security of their SaaS environments. But while pentests can be useful, the single point-in-time view they provide isn’t adequate to secure dynamic SaaS environments. Normal business operations – like adding and removing users and connecting new 3rd party applications to the platform – along with regular security and feature updates released by the vendors mean that SaaS environments are constantly changing. This often makes the results of a pentest quickly obsolete.
Most businesses use multiple SaaS applications. For a large enterprise, the number of active cloud and SaaS apps is usually dozens if not hundreds. Unfortunately, there’s no
standardization when it comes to security settings across SaaS apps. This makes it very difficult for security teams to understand the nuances of every application and often leads to misconfiguration.
The ever-changing nature of SaaS just compounds the problem. Even if a SaaS instance is configured properly during the implementation phase, most teams don’t have the resources or expertise to continually monitor permission updates, API access changes, or new vendor releases. When you think about the scale of this challenge being hundreds or thousands of users across dozens of SaaS apps, it’s easy to see how configuration drift occurs over time. It’s clear that this shouldn’t be a task done manually. Companies need to embrace automated solutions to help.
AppOmni’s data shows that there are an average of 42 distinct third-party applications
connecting into live SaaS environments within an enterprise. These apps provide an incredible amount of flexibility and functionality – from digital signature apps to expense reporting to lead scoring – and are often critical to everyday business processes. But as the number of connected apps increases, so does the risk and the attack surface.
Our data shows that, on average, more than half of installed 3rd party apps haven’t been used for more than six months but still have access to sensitive business data. We also find that security and IT teams often are unaware of connected apps. About half of the third-party connections in our data set were installed by individual end users rather than by security or IT teams.
Even though SaaS is now a major part of the typical IT stack, many organizations haven’t defined clear ownership when it comes to SaaS security. In fact, it’s often a game of “not it” between IT and security teams since SaaS hasn’t traditionally been part of either team’s scope. When no one is officially responsible for securing SaaS data, it simply doesn’t get done. And that makes a big risk even bigger.
So... what now? It’s clear there are a multitude of challenges when it comes to SaaS security, but businesses shouldn’t feel overwhelmed. It’s not difficult to implement a good SaaS security program. Here’s what we suggest to for getting started, or to audit and improve your current processes.
The first step to develop a successful security program is to understand your responsibility when it comes to securing your data. Many people still mistakenly believe all aspects of SaaS security are the responsibility of the SaaS vendor. But like nearly all types of technology, SaaS has a shared responsibility model between the vendor and the client. SaaS vendors like Salesforce and Microsoft have the responsibility to offer secure products and services. They generally do this well, as they invest heavily in security and employ some of the best teams in the world. But the responsibility of configuring, managing, and using the product responsibly on a day-to-day basis ultimately lies with the customer.
We’re increasingly seeing the title of “Head of SaaS Security” across some of the larger businesses we work with. But for most businesses, the job of managing and securing SaaS data still lies, officially or unofficially, with the security or IT teams. The ownership, scope, processes, budget, and goals for SaaS security need to be clearly defined within each organization.
The number and complexity of SaaS applications used by businesses and enterprises will only continue to increase. It’s simply not feasible for security teams to manually maintain constantly changing security settings and configurations across dozens or hundreds of SaaS platforms.
Companies need to invest in automated tools to ensure their security settings match their business intent and to continuously monitor security controls to prevent configuration drift.
Today’s SaaS platforms are powerful, complex, and dynamic. To maintain a secure SaaS environment, businesses need tools and processes that enable them to:
SaaS platforms offer unprecedented flexibility and functionality. But as sensitive data moves to the cloud, businesses must take the necessary steps to ensure that it remains secure. Whether you’re just beginning your SaaS security program or need to modernize your processes to support your current IT stack, there’s no better time to start than now.
Brendan O'Connor is the CEO and co-founder of AppOmni. Prior to AppOmni, Brendan served as CSO at Salesforce and Security CTO at ServiceNow. He is a 20-year veteran of the security industry and is passionate about securing the SaaS technologies that power modern business. Brendan's past experience includes roles as a vulnerability researcher, security engineer, and privacy advocate. He has also worked in the Financial Services and Communications sectors. For more information about AppOmni or to request a free Risk Assessment for your organization, please visit appomni.com.
The End Customer Panel at the 2024 Global Summit provided an invaluable look into the perspectives of technology executives who have real-world experiences in implementing AI within their organizations.