SaaS has become the normative path for many enterprises in how they consume business applications. Data from Productiv, which makes software to help businesses manage their application spend, showed that the average company used 342 SaaS applications in 2023.
In addition to the volume, the ways in which organizations use SaaS products complicates efforts to protect sensitive data and guard against data breaches. Organizations make choices based on their specific industry, requirements, goals, regulatory mandates and so on. All of this means that there is no one-size-fits-all SaaS security checklist.
That said, certain best practices and strategies for SaaS security can be applied to most situations. Some best practices to consider include the following.
1. Discover and inventory applications
One of the things that makes SaaS so compelling is how easy it can be to implement. This ease is both a blessing and a curse. New users can easily start using a tool, creating situations where an application’s usage can go from a handful of users to significant usage virtually overnight.
These adoption dynamics complicate SaaS management. A survey of IT professionals for BetterCloud’s “2023 State of SaaSOps” report found that up to 65% of SaaS application usage is unapproved, a strong indication that the shadow IT tradition is alive and well. stay healthy
To discover which SaaS applications are being used, a business can use both automated and manual methods. Additionally, it is wise to have strategies in place for how to collect and validate usage data. For example, you can combine improving your SaaS inventory with other data collection activities you have going on. You might choose business impact analysis — that is, gathering information about application usage and relative priorities for business continuity purposes — or evidence collection for audit response as mechanisms to gather intelligence about SaaS applications in the environment. As you collect information, add the data to a running inventory or runbook related to business use of these SaaS tools.
2. Implement single sign-on
Finding and recording information about usage is helpful, but you also need strategies that themselves enforce the safe outcomes you want. One particularly illustrative example of this is single sign-on (SSO).
From a user point of view, one of the biggest problems with SaaS can be the distribution of identities across the various business applications used. A user can have dozens of username-password combinations; it’s inconvenient for them, and it also creates management challenges and security risks, such as users sharing passwords across services or employees writing down their passwords.
Some SaaS providers offer the option to integrate with an external identity provider, such as Active Directory or Microsoft’s Entra ID. This is typically supported by federation mechanisms including Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). While these features are valuable on their own, they also aid in discovery. Not having to remember a different username-password combination is directly beneficial to the end user — so much so, in fact, that users can help push this functionality in cases where it’s not in place.
This push to support SSO from the user community is a good thing because it identifies SaaS usage that the security team would otherwise not know about. It also binds the authentication constraints – e.g. MFA and password complexity parameters – as well as expanding access to the SaaS realm.
3. Enable multi-factor authentication
One of the main mechanisms to enable MFA is through federation of the user’s identity to the existing, internally used identity provider. However, this is not the only way. Some SaaS applications do not directly support SSO — eg via SAML or OIDC — but nevertheless allow an option for MFA through one or more supported mechanisms, such as a time-based, one-time password or text. In situations where MFA is supported, it can also be valuable to leverage that feature and enforce it across the user base.
4. Grease and carry out supervision
Just as you review and validate vendors from a supply chain perspective, it is important to evaluate SaaS vendors and applications. You want to understand the use of the application, such as in who uses it and for what business purposes, as well as the security profile of the vendor. Identify the available security features. For example, are there optional data protection and privacy capabilities? Also, understand the core assumptions built into the product about which elements of usage protection are on your side of the shared responsibility fence.
5. Use data encryption
Most channels used for communication with SaaS applications use TLS to protect data in transit. Many SaaS providers also offer an encryption capability to protect data at rest. For some providers, this is a default feature; for others, it must be explicitly enabled by the customer. If given the option, it is a good idea to enable data encryption features. If your providers don’t offer encryption, let them know it’s a feature you’d like to see added.
6. Consider CASB
Depending on your security requirements, you may choose to evaluate tools and controls that help extend security requirements to the cloud. In a SaaS context, consider the cloud access security broker options. With a CASB tool, an organization can add additional controls not originally provided by the SaaS provider. For example, a CASB can provide better information about who has access to the tool, better usage monitoring and better data protection. Pay attention to CASB deployment modes: TLS 1.3 has increased the complexity associated with some proxy-based models, while API-driven modes in many cases require support by the SaaS provider itself, meaning your provider of choice may not not every product supports. on the market.
7. Consider SSPM
Another option is SaaS security posture management. SSPM is similar to cloud security posture management in some ways. With CSPM, you more effectively ensure that you enforce a given security model across multiple cloud deployments. SSPM strengthens efforts to ensure that security policy and enforcement are universally set across SaaS platforms. SSPM tool vendors have done the work to translate specific technical policy goals into the native configuration of different SaaS services; they can then query those services to ensure your configuration is in the desired state. And they warn you if it isn’t.
8. Maintain situational awareness
As always, monitor SaaS usage. Examine data from internal tools, including a CASB if you use them, as well as any logs or other information provided by the service providers, to see where and how you use SaaS.
It is important for IT and security leaders to understand that a SaaS offering is a powerful tool that requires the same level of security as any other enterprise application. By adopting these best practices for SaaS security in conjunction with systematic risk management measures and ongoing security assessments, organizations can ensure that SaaS is used safely by users and that usage is protected.
Editor’s Note: This article has been updated and expanded to incorporate changes in cloud security best practices since the original 2021 publication and to improve the reader experience.
Ed Moyle is a technical writer with over 25 years of experience in information security. He is currently CISO at Drake Software.
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
