Saas Security: A New Challenge For Modern Security Management
June 29, 2021
Try bringing up the topic of “SaaS Security” with anyone on a security team at a large organization. Either you’ll hear, “Yeah, it’s great that security is handled for us by name large SaaS platform here” or you’ll hear a big sigh followed by “yeah I have to sort this situation out soon…”. In either case, the lack of awareness that SaaS customers have when it comes to security obligations, and/or the procrastination to address these responsibilities should be a cause for concern. In 55% of the SaaS vulnerability assessments my company performs, we identify data leaking to the anonymous internet from SaaS environments. 95% of our SaaS vulnerability assessments reveal accounts with over provisioned external SaaS users. Additionally, in each SaaS environment, we identify an average of 42 connected third party applications. 22 of those 42 typically have access to sensitive data but haven’t been used in over six months.
In any other security context, we would declare the over provisioning of a guest user who has access to sensitive data to be a high-risk issue worthy of correcting immediately. We would attest that a third-party integration connected without a purpose, yet accessing critical business data, needs to be deprovisioned. And we would immediately lock down any issue that leaks our data to the anonymous internet, potentially even pulling in our IR or legal team to assess the feasibility of a response. In no other security domain would any of these outcomes be remotely acceptable to a security team. And yet when it comes to SaaS, all of these situations are commonplace. Why is this happening right underneath our collective feet?
For one, enterprise executives were told early on by some of this generation’s best salespeople that SaaS platforms were the answer to the constant security concerns that accompany on premise applications.
In reality, this is partially true. SaaS applications are provided with security built-in to the provider’s architecture, are hardened by some of the best security professionals in the industry, and go through rigorous testing. However, there are parts of the SaaS ownership model being wholly mismanaged - and that mismanagement is happening in the configurations that we as end-users are responsible for. In fact, Gartner states that through 2025, 99% of cloud security incidents will be due to issues that are the customer’s fault. We‘ve seen over the last few years that cloud misconfigurations are detrimental to our security posture, and we’re all working hard to address those issues. We must do the same for SaaS applications or watch our progress in cloud security be diminished as we leak the same data we hustled to protect for the last half-decade.
There remains a fear of turning over the SaaS security stone as it could expose outcomes that will necessitate more work, more budget, and more anxiety. But ask any company who has suffered a cloud data leak, and they’ll tell you that it’s better, and cheaper, to be proactive than to react to bad news urgently, ruining your employees’ roadmaps and begging for budget to solve a highly predictable problem looming on the horizon. Modern security teams know that the time to act is before an incident has occurred.