Many security practitioners take their eyes off cloud and software-as-a-service (SaaS) security based on the flawed assumption that providers are inherently secure. Although there are many providers, the cloud can be so flexible and customizable that each organization can open different doors – which they are responsible for closing. Traditional security tools often overlook this.
Some 89% of organizations have a multicloud strategy, with 48% using multiple public and private clouds. By the end of 2021, it is estimated that 99% of organizations will use one or more SaaS solutions. Now that there are so many resources in the cloud, securing each one is a complex responsibility.
Security risks continue to plague organizations. According to Varonis’ “2021 SaaS Risk Report,” 44% of cloud user privileges are misconfigured and 43% of all cloud identities are unused and exposed to threats. By claiming your cloud footprint, adopting new security controls and emphasizing SaaS security management, you can be confident enough in your security to achieve cloud nirvana – security so automated, intuitive and frictionless you don’t even have to think about it. There are three steps to get there.
Understand your cloud footprint
You should take a strategic view of cloud security. The first step is to carry out an inventory to find out which SaaS services are in use. Which business sectors depend on which SaaS services? Which SaaS services are common across the enterprise?
Then create a focused inventory of where your most sensitive data resides. What information are your apps leaving or exchanging with other apps? Next question: What users, resources, and applications have access to your data? Only once you understand your cloud footprint, the data in the cloud and the resources accessing it, can you work to secure it.
Make no mistake: Auditing cloud and SaaS sprawl is difficult. According to a recent report by Productiv, the average SaaS portfolio size is 254 apps but only 45% of those apps are used regularly. Diving deeper and reflecting on the business objectives of those applications can identify some ways to reduce your organization’s overall risk (and your SaaS spend). Auditing your cloud footprint is important so you have a clear picture of your risk and so you can ensure you are meeting compliance, regulatory and customer obligations.
Before you start chipping away at SaaS security barriers, you need to make sure you have all your bases covered. Does your security coverage include management of third-party applications and data? What about any necessary compliance or regulatory policies to check for misconfigurations and anomalies? Although most companies stop there, it’s important to have deep security coverage for your business-critical SaaS applications, including threat detection and continuous monitoring.
Protect your cloud footprint
Once you understand your cloud footprint and understand where the most sensitive data resides, you must assess whether your data is protected. Are appropriate security controls in place to ensure all applicable layers of encryption and obfuscation? Can only the right people access sensitive data? Are configurations being regularly scanned to detect misconfigurations, and more importantly, are those misconfigurations being corrected in a timely manner?
You need to define security controls to protect data and configurations. Once you’ve defined security controls, you’ll need to repeat the process for the multitude of SaaS vendors you’re working with across your ecosystem.
In addition to Microsoft 365, say, you probably have a combination of Workday, Salesforce, ServiceNow, Atlassian, and dozens of other applications running your business. Interestingly, the productivity report shows an inverse relationship between an organization’s size and its application engagement. Small organizations, according to the report, engage with 49% of apps, while enterprises use only 39%.
The fragmentation of the SaaS market means that you not only have multiple vendors to consider, but they all operate based on different standards and with different levels of security. Unfortunately, there is no common framework for SaaS security.
The Center for Internet Security (CIS) has developed critical controls for the cloud that, while not yet widely adopted, provide consistency across the entire enterprise. For now, you need visibility into the security of each SaaS application.
Cloud Nirvana: Eliminate the need to think about security
Getting closer to cloud nirvana means finding efficiencies as the cloud continues to scale. SaaS leads the expansion of cloud adoption, with end-user spending expected to top $176 billion this year, according to Gartner, and increase nearly 18% next year.
Adhering to an industry standard framework like CIS controls gives you a clear picture of your SaaS security, but you can do more. By adopting a DevSecOps structure, you involve security teams early in the development lifecycle so there are no surprises or delays down the road.
Reaching true cloud nirvana often comes through SaaS security management that monitors, detects and protects against threats. It includes automated security for instant visibility, 24/7 monitoring, and alerts for common SaaS security risks such as misconfigured data access, overly broad permissions to user accounts, and exposed data.