Today, organizations rely on SaaS platforms for just about everything.
Think about it for a moment: most organizations have anywhere from 35 to literally hundreds of SaaS applications running. Slack, Office 365, Zoom, Zendesk, Salesforce, Hubspot, Jira, you name it. These applications are at the core of basically all modern enterprises, to the point where trying to run your business without them would be nearly impossible. SaaS applications are easy to use and they are super-scalable. Moreover, they enable valuable cost and time-saving benefits, allowing organizations to grow and simultaneously conserve resources. And now, they even come with an impressive array of native security controls to secure sensitive corporate data.
Solving the SaaS Security Management Problem
But despite the huge benefits, using SaaS platforms can come with some risks. While it’s true that platform developers have definitely put a whole lot of effort into solidifying their own security posture, organizations using these platforms still experience security breaches. These breaches are generally not due to security shortcomings in the platforms themselves, but rather they are due to a company’s misconfiguration of these SaaS applications. With so many settings, controls, and policies to manage and track, things fall through the cracks in SaaS platforms ALL THE TIME. And the results are often major security holes which can put organizations at risk.
So why are misconfigurations such a glaring problem in SaaS applications?
Ensuring SaaS applications are continuously configured properly is a pretty tedious undertaking and in order to get all configurations “set” properly, you need to know what you’re doing across countless different apps. All business-critical SaaS platforms have dozens of different security and user-related settings. Do the math and you’ll quickly see that trying to maintain them on your own is basically impossible. Moreover, when you consider that applications like Salesforce have security guides which are hundreds of pages long and are constantly being updated, it’s clear that trying to prevent misconfigurations on your own is a losing proposition.
A recent example of this: a global enterprise had a misconfiguration in a leading business software platform that enabled anonymous access to anyone, exposing full employee lists, emails, schedules, dashboards–leaving them wide open to potential threats. This is just one example, but there are tons of similar ones wherein simple oversights led to major repercussions.
Trying to Fix SaaS Misconfigurations
Organizations have tried to address the issue of SaaS misconfigurations with varying degrees of success over the years using different tools. For example, Cloud Access Security Brokers (CASBs) address security issues in SaaS applications. But they are reactive, primarily focusing on the detection of breaches once they have occurred, which doesn’t help proactively prevent misconfigurations in the first place. And Cloud Security Posture Management tools (CSPM) are similar in theory but only address IaaS and PaaS security use cases.
The other “approach” some organizations take is that of doing nothing at all. As you probably guessed, that’s not a great strategy to emulate either.
Automation Means Optimal SaaS Security
It’s pretty clear that properly configuring the hundreds of potential settings in each platform cannot be done in a manual fashion. Organizations need to take an automated approach to managing SaaS application configurations to prevent misconfigurations. Without an automatic approach to maintaining security settings and controls, organizations don’t stand a realistic chance of getting total control of their SaaS applications. Trying to maintain consistent policies across all applications, understand which applications require which security features, and account for each one’s specific methods is all just too complicated and time consuming–and leaves room for mistakes.
The emerging category of tools called SaaS Security Posture Management (SSPM) addresses this need. According to Gartner, these are “tools that continuously assess the security risk and manage the security posture of SaaS applications. Core capabilities include reporting the configuration of native SaaS security settings and offering suggestions for improved configuration to reduce risk.” SSPM tools examine posture in a customized and automated manner, tailored to the specific circumstances of the application. If you want to prevent misconfigurations in your SaaS applications, check out this group of solutions.
Final Thoughts
Gartner says that by 2025, nearly 99% of security failures in the cloud will be human-driven. The complexity of SaaS environments only serves to make circumstances more complicated. Now is the time to take corrective actions and ensure SaaS misconfigurations aren’t putting your organization at risk.