Reducing Risk Through Comprehensive SaaS Security Strategies

Managing the security posture across multiple SaaS clouds can be difficult, especially as malware and ransomware attacks increase in frequency and success.

Today, organizations face a variety of SaaS challenges, including a lack of configuration standards, multiple APIs/UIs with varying layers of access and easy ways for customer data to leak across systems.

In this article, I’d like to explore the complexities of risk across SaaS applications and how I believe it can be reduced. These insights come from my experience helping over 1,500 customers address these challenges and from my discussions with my company’s senior technology advisor.

Compounding Problems

Ensuring the security of structured data in CRM applications, the communications and data in messaging applications or unstructured data from file providers is difficult enough. But these systems often come from three different companies, and by the time an attack has happened, it’s usually too late. The reality is that the interconnection between these systems makes tracking data provenance hard and allows malware and ransomware to spread more broadly.

This problem is compounded when these systems extend to include external users; it becomes easy to inadvertently leak or destroy sensitive data as the footprint expands. Whether it’s Salesforce Communities, Slack Connect, Microsoft Teams, Microsoft 365 or Google Drive, a rat’s nest of identity, permissions and integration controls are created. Unfortunately, most of the endpoint management tools on the market are designed for a pre-cloud, pre-BYOD world.

Toward Comprehensive Solutions

But there is hope. I see vendors building new solutions to help IT and security teams manage risk in a way that integrates with existing systems while still providing depth of defense around cloud systems of record and engagement.

Therefore, as you manage risk in the cloud, it’s crucial to pick IT and security solutions that understand the intricacies of the SaaS applications being deployed. I believe that teams need to look at solutions that go beyond just OAuth scopes, login IP addresses and high-level scores and dive deeper into the usage patterns of data and, if possible, the code of all the integrations.

Often treated as just a checkbox, many SaaS vendors only provide event monitoring and a base level of data leak protection. These features usually don’t provide the ability to prevent and remediate attacks on data. Requiring a manual intervention usually means it’s too late, and the data is already encrypted—sensitive PII has already been accidentally placed in the wrong folder, or a rogue Google Chrome extension has already been installed that harvests a sensitive client list.

Automation And Detection

That’s why I believe that automation and detection are so key. It’s also why using solutions that work comprehensively across SaaS platforms—integrating data loss prevention, posture management and automatic detection/response—is vital to a good security strategy.

In the past, we’ve witnessed many security incidents that occurred due to misconfiguration or malice, but the most difficult to detect tend to be the ones that happened out of the customer’s control.

I find that large CRM platforms add many APIs to the core systems that can be helpful, especially portals and community access, but these can inadvertently leak data even without changing any configuration. Adding in a mobile application or an AppExchange application unrelated to a customer’s core data can create a high-level security incident. The assumption that the data is hidden because it isn’t available in the UI gives a false sense of security.

Adding in connectivity between SaaS products through integrations can make this even worse—now it’s hard to track where the data is going, and there are multiple permission systems to manage. These external systems, especially data warehouses, do not support the level of row-level security of the CRM vendors.

Furthermore, many of today’s users are getting an increasing amount of smishing and phishing attacks that, unlike most email spam, are hard to distinguish from real requests. Remediating ransomware is difficult; it’s better to pick a vendor that can detect and block ransomware quickly. I advise looking for solutions that have advanced algorithms that examine behavior, not just signatures, and where the SLA is short enough that teams don’t have to beg the cloud provider to increase throughput or timeouts to put a business back on track as they recover from out-of-date backups.

Exceeding Security Posture Management

While the development of security solutions has led to the emergence of SaaS security posture management (SSPM) platforms, I think it’s important to acknowledge that an SSPM alone is not sufficient to combat modern security threats in the SaaS environment. Yes, continuous monitoring and algorithmic analysis are essential components of a comprehensive security strategy, but I contend that they must be complemented by other measures to ensure comprehensive protection.

To achieve this, businesses can look to adopt a complex and interconnected ecosystem of robust solutions that work in concert to provide a unified defense against the diverse range of threats that they face. This can include an all-in-one platform that integrates SSPM with other essential components such as SaaS DLP and SaaS Ransomware protection. (Full disclosure: My company provides this type of platform.)

So, while I see the rise of SSPM as a positive development, I believe that further SaaS security is critical for businesses to ensure the highest level of protection against the ever-evolving threat landscape. Equally important is to ensure that it doesn’t create a tidal wave of false alerts. Make sure the AI or automated controls are robust and reduce your burden. One-size-fits-all algorithms can be counter-productive if you do not adjust these mechanisms to adjust to business requirements. The goal is to detect and block actual suspicious activity across SaaS applications, not ruin a company’s productivity.

As ransomware-as-a-service providers are becoming smaller outfits due to increased scrutiny, I predict that they may start targeting businesses that may not have seen themselves as vulnerable. Increasingly, they use platforms like Slack workspaces to serve up their links as legitimate. You can be on the offense by investing in automated, modern cloud-based defense.

As originally published in Forbes