Unleashing the Power of SaaS Security

Securing employees' Software-as-a-Service (SaaS) usage is becoming increasingly crucial for most cloud-based organizations. While numerous tools are available to address this need, they often employ different approaches and technologies, leading to unnecessary confusion and complexity.

What's essential SaaS security?

According to Wing Security, three fundamental capabilities are necessary for organizations aiming to secure their SaaS: discovery, assessment, and control. These align with regulatory security standards such as ISO 27001 and SOC, which emphasize vendor and third-party risk assessment programs, as well as controlling user access to critical business tools.

1. Discover: You can't secure what you can't see

Shadow IT is not a novel issue but rather an evolving one. With the continuous increase in SaaS usage and the ability for users to bypass security policies like MFA and SSO when onboarding SaaS applications, the new face of shadow IT is SaaS-based. The process is simple: employees need to complete a business task and often require a tool to facilitate it. They search for a solution online, using company credentials to log in, particularly when most services don't require credit card information to get started. SaaS, being the modern supply chain, clearly requires a security solution due to its decentralized and ungoverned nature.

2. Assess risk: Not all risks are equal, save valuable time

Once the shadow element is resolved, organizations are left with an extensive list of applications, often numbering in the thousands. This begs the question: what now? Without an automated method for evaluating the risks associated with all the SaaS applications linked to the organization, uncovering shadow SaaS can be more confusing and burdensome than helpful. This highlights the importance of assessing the security status of these applications and determining a threshold that requires attention. SaaS discovery must go hand in hand with some degree of vendor or third-party risk assessment.

3. Control: Ensure users only have necessary access

Discovering all SaaS in use (and not in use) and understanding their risks is only half the battle; the other half involves SaaS users. They grant applications access and permissions to company data, making choices regarding read/write permissions for the numerous applications they use. On average, each employee uses 28 SaaS applications at any given time, which translates to hundreds, if not thousands, of SaaS applications with access to company data.

Conducting periodic user access reviews across essential business applications is not just a regulatory requirement but also highly recommended for maintaining a secure posture. Controlling who has access to which application can prevent sensitive data from falling into the wrong hands and significantly reduce the potential attack surface, as employees are often the first targets for malicious actors. A long list of users and their permissions and roles across various applications can be overwhelming, but it is necessary to ensure that except approved admins, all users have only basic access to SaaS applications.

In summary - These three capabilities are essential for starting a proper SaaS security program, but they don't guarantee full coverage or control. Mature security organizations will require more. That said, these are an important starting point for those organizations who don't yet have SaaS security in place or are contemplating which tools and approaches to get started with.