Many security practitioners view cloud and software-as-a-service (SaaS) security based on the mistaken assumption that providers are inherently secure. Although most providers are, the cloud is so flexible and customizable that each organization can open different doors – these they are responsible for closing. These are usually overlooked by traditional security tools.
Some 89% of organizations have a multicloud approach, with 48% using multiple public and private clouds. By the end of 2021, an estimated 99% of organizations will use one or more SaaS solutions. With so many resources now in the cloud, it’s a complex responsibility to secure each one.
Security risks continue to plague organizations. According to Varonis’ “2021 SaaS Risk Report”, 44% of cloud user privileges are misconfigured and 43% of all cloud identities are unused and exposed to threats. By rightizing your cloud footprint, leveraging new security controls, and focusing on SaaS security management, you can gain enough confidence in your security to achieve cloud nirvana – security that’s automated, intuitive, and frictionless you don’t even have to think about it. There are three stages to get there.
Understand Your Cloud Footprint
You must take a strategic view of cloud security. The first step is to perform an inventory to find what SaaS services are being used. Which business areas depend on which SaaS services? Which SaaS services are common across the enterprise?
Then create an inventory focused on where your most sensitive data is. What information leaves your applications or is exchanged with other applications? The next question is: Which users, resources, and applications have access to your data? Once you understand your cloud footprint, the data in the cloud, and the resources accessing it, you can secure it.
Make no mistake: auditing cloud and SaaS sprawl is difficult. According to a recent Productiv report, the average SaaS portfolio size is 254 applications but only 45% of those apps are used regularly. A deep dive and reflection on the business goals of those apps can identify several ways to reduce your organization’s overall risk (and your SaaS spend). Auditing your cloud footprint is essential so you have a clear picture of your risk, and to ensure you’re meeting compliance, regulatory, and customer obligations.
Before you start removing SaaS security inhibitors, you need to make sure you cover all your bases. Does your security coverage include managing third-party applications and data? What about any required compliance or regulatory policies for checking misconfigurations and anomalies? While most companies stop there, it’s important to have deep security coverage for your business-critical SaaS applications, including threat detection and continuous monitoring.
Protect Your Cloud Footprint
Once you understand your cloud footprint, and where the most sensitive data is, you need to evaluate whether your data is protected. Are there appropriate security controls to ensure all appropriate layers of encryption and masking? Can only appropriate people access sensitive data? Are configurations regularly scanned to detect misconfigurations and, more importantly, are misconfigurations fixed in a timely manner?
You need to define security controls to protect data and configurations. Once you’ve identified security controls, you need to replicate the process for the many SaaS vendors you work with across your ecosystem.
In addition to, say, Microsoft 365, you probably also have some combination of Workday, Salesforce, ServiceNow, Atlassian, and potentially dozens of other applications that keep your business running. Interestingly, the Productiv report shows an inverse relationship between the size of an organization and its application engagement. Smaller organizations, according to the report, interact with 49% of apps while enterprises use only 39%.
The fragmentation of the SaaS market means that not only do you have many vendors to consider, but they all operate based on different standards and have different levels of security. Unfortunately, there is no standard framework for SaaS security.
The Center for Internet Security (CIS) has developed critical controls for the cloud, but they haven’t been adopted enough to provide industry-wide consistency. Today, you need visibility into the security of every SaaS application.
Cloud Nirvana: Eliminate Having to Think About Security
Approaching cloud nirvana means finding efficiency as the cloud continues to grow. SaaS is leading the way in expanding cloud adoption, with end-user spending expected to reach more than $176 billion this year, according to Gartner, and increase nearly 18% next year.
Following industry standard frameworks like CIS controls will paint a clearer picture of your SaaS security, but there’s more you can do. By adopting a DevSecOps structure, you include security teams at the beginning of the development lifecycle so there are no surprises or delays in the future.
However, reaching true cloud nirvana often comes through managed SaaS security that can monitor, detect, and protect against threats. This includes security automation for instant visibility, 24/7 monitoring, and alerts for common SaaS security risks such as misconfigured data access, overly broad permissions for on user accounts, and exposed data.