Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams.
But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found that the global average cost of a data breach is $4.35 million, up 13% in the last two years.
Today, organizations are increasingly concerned about securing their digital transformation. While most enterprises now actively secure their IaaS and PaaS estates, few are proactively securing their sprawling SaaS landscape. This is despite the reality that while organizations tend to consume two to three IaaS providers, they often consume tens to hundreds of SaaS offerings.
In addition, the complex nature of SaaS platforms introduces new security risks. Organizations must protect sensitive data and systems against unauthorized access, loss and compromise. They also must establish strong data governance and monitor for misconfiguration and anomalies.
The complex nature of SaaS platforms introduces new security risks (Source: AppOmni)
As organizations rapidly adopt SaaS-based applications and solutions, they must also update several areas of traditional organizational cybersecurity to reflect the shared responsibility operating model.
Understanding the shared responsibility model
In a traditional data center model, you may be responsible for security across your entire operating environment. But in a cloud environment, a cloud provider takes on some of those responsibilities for cloud platform operations, including security. The consumer still has responsibilities to secure aspects of their cloud services. It is essential to understand what security is the responsibility of the SaaS provider and what is the responsibility of the cloud customer.
The shared responsibility model across on-premise, IaaS and SaaS applications (Source: AppOmni)
In general, SaaS providers place the following responsibilities on customers:
- Compliance and data governance: Implement applicable compliance, privacy and regulatory framework controls, including meeting requirements on data transfers and residency.
- Identity and access management: Enforcing the principle of least privilege, ensuring user access isn’t over-provisioned or deleting users that no longer work for the organization.
- Application controls: Understanding which system, roles and user-level settings security are relevant. There are hundreds of these controls per SaaS application, adding to the complexity.
Reassessing and redefining your existing security controls
The complex nature of SaaS platforms introduces new security risks, which include:
- Publicly exposed SaaS data
- External users with over-privileged access
- Third-party apps connected to the platform
- Data with limited or no restrictions
- Over-provisioned administrator users/roles
- Failed security configuration best practices.
While re-evaluating security controls, consider these key areas within your responsibility:
- Do you have security and compliance policies, and have you applied them to your SaaS applications?
- Who has access and who should have access to the sensitive data objects in a SaaS application?
- What data sets are considered sensitive, and what is the exposure risk?
- What do normal transaction patterns look like in each application between the user and your sensitive data, and when should enterprise security be aware of deviations?
How mature is your SaaS security strategy?
Despite the massive threat, many organizations currently use a fragmented approach to SaaS application security. To set your business apart, you should move away from an ad-hoc reactive strategy and embrace solutions to improve your security posture with centralized and consistent security management of mission-critical SaaS applications.
These solutions should address:
- Data loss or theft: SaaS environments contain a lot of sensitive data, such as customer and employee information. If this data is lost or stolen, it could significantly impact the organization.
- Unauthorized access: SaaS environments are often accessed by many employees, contractors, partners and customers. If unauthorized users gain access to the environment, they could cause significant damage or steal sensitive data.
- Malware and ransomware: Breached SaaS environments can pose as an attack vector to spread malware attacks causing damage to the organization’s IT infrastructure. Ransomware attacks encrypt corporate data and systems and demand a ransom payment to decrypt them.
- Privilege escalation: Privilege escalation is a type of attack that allows an attacker to gain access to higher levels of privilege than they should have. This can give them access to sensitive data or allow them to make changes to the environment that could cause damage.
- Insider threats: Insider threats are threats posed by employees or contractors who have legitimate access to the environment. These threats can be accidental or malicious and can cause a lot of damage.
Don’t wait to mitigate risk
Organizations must adopt a comprehensive approach to SaaS Security as part of their overall cloud security strategy, accounting for known and unknown risks brought on by SaaS apps and SaaS-to-SaaS connections. There are several things that organizations can do to mitigate these risks, such as bringing visibility over the SaaS estate at scale, preventing data exposure and critical misconfigurations, implementing continuous threat and user activity monitoring, conducting regular end-user privilege access and permissions audits (including for third-party vendors and applications) and enforcing strong IAM and password management policies. In addition, organizations can also educate employees about security risks and create enterprise-wide awareness. Finally, having plans in place for responding to incidents, including plans for data breach recovery, dealing with ransomware and responding to insider threats, gives everyone a job to do if and when an incident occurs.
IBM can be your trusted partner. Using IBM Cloud (SaaS) Security Posture Management Services, organizations can develop a comprehensive approach to identify and mitigate security and regulatory risks, provide centralized visibility and manage misconfiguration and anomalies to reduce the attack surface against your sprawling current and future SaaS applications.
AppOmni enables clients to easily secure critical SaaS applications through security tooling for configuration management, threat detection and activity monitoring, data exposure prevention, third-party app visibility and more. AppOmni’s technology and developer platform make it easy for security and IT teams to protect and monitor their entire SaaS environment across all standard and custom SaaS applications.
IBM Security professional services and AppOmni work closely together to deliver SaaS security solutions to enterprises worldwide. To learn more about this service offering and our partnership with AppOmni, schedule a consultation today.
Offering Manager, IBM Security
Cloud Security Solutions Architect, IBM Inventor, Member of the Academy of Technology