Assessing the maturity of your SaaS security program
Buying something as a service has obvious advantages over the traditional method of buying software that are undeniable: no configuration, lower costs, faster return on investment, scalability, upgrades rapid and universal accessibility. Purchasing SaaS has become so simple that anyone with a credit card and an email address can acquire a license and start using the most powerful software. This has created unique challenges for security teams and requires them to assess the maturity of their SaaS security using a framework that was developed for the unique challenges created by SaaS.
Several industry standards specify best practices to help companies secure their SaaS applications. A lot of startups are also hitting the market with products designed to solve the SaaS security problem. What’s missing, however, is an end-to-end framework that helps companies understand where they are in the SaaS security journey with a clear view of what they’re trying to accomplish. One of the major shortcomings of current security standards is that they are all primarily focused on securing and managing SaaS applications that security teams are familiar with or regularly use. This starting point simply does not apply to the reality of SaaS today, which is acquired by employees and never reported or used for a one-time task or project.
Based on Grip’s work with hundreds of CISOs, we’ve defined four stages of maturity that we’ve observed in SaaS security programs.
Discovery is the first step in SaaS security and is the foundation of a robust SaaS security program. Microsoft believes that 80% of employees use unauthorized apps, which is consistent with what we’ve seen when working with businesses. There are different SaaS discovery methods, ranging from self-reporting to network traffic analysis to log analysis, and most companies use a combination of methods.
The challenge that most companies face at the discovery stage is the sheer volume of data that needs to be collected, analyzed, and processed. Many discovery methods rely on user action-based log collection, and turning raw logs into actionable security information is no easy task. Even products that process logs and create alerts face the challenge of identifying the right indicators of SaaS usage activity, resulting in a high volume of false positives. Although conceptually simple, this is a step that many companies struggle with.
SaaS security programs that have successfully mastered the discovery stage quickly realize that the number of SaaS applications in use is far greater than expected. A 2020 report from Fortunately found that SaaS application turnover was greater than employee turnover. This means that security teams will constantly identify new applications and need to assess their risk to understand which policies apply. Companies at this stage are able to prioritize their risks and mitigate them.
Prioritization is critical for SaaS security programs because not all SaaS applications are equal when it comes to risk. Some only gather publicly available data, while others are used to analyze confidential or proprietary data. Risk prioritization helps SaaS security programs understand which applications pose the highest risk so they can be appropriately secured. However, the challenge enterprises face in the prioritization phase is the sheer volume of discovered applications and the tedious process of assessing each application, which has the potential to overwhelm security teams.
Securing SaaS applications is the next step, and most companies already do this to some degree. This step is necessary to receive and maintain compliance with industry standards such as SOC2 and ISO 27001. The method can range from simply blocking access to disallowing the use of high-risk applications or integrating applications with single sign-on (SSO). application that requires users to authenticate and tracks usage.
Every company has a group of applications that are widely used. Examples include applications used in human resources or customer relationship management software. Securing these apps through methods like SSO makes sense. But the vast majority of SaaS applications are not widely used but by a department or even by a few people in a department. Securing these apps using SSO doesn’t make sense because the integration usually requires a user license upgrade and backend work. Companies have often done a great job of securing the most used applications. Securing the hundreds of unmanaged SaaS with a small number of users is more difficult, and almost every company struggles with this.
The final stage of SaaS security maturity is ordering. Companies at this stage have established a sustainable and repeatable program that is continuous and supported by automation. Companies reaching this stage have the ability to know real-time metrics such as:
- Total number of SaaS applications discovered
- Number of employees using them
- Sanctioned or unsanctioned status of SaaS applications
- Authentication method used (e.g. SSO, identity provider, username/password)
- Prioritization of the level of risk
- Automated employee departure from all SaaS applications
When companies have their SaaS security under control, they have clear control over their SaaS security risks and have the ability to secure and manage their risks for all types of SaaS.
The journey is not a destination
The four stages of SaaS security maturity are useful for companies trying to assess their programs and highlight why securing SaaS applications is different from traditional security. SaaS lives beyond the corporate perimeter and is accessible from anywhere from any device. Security involves controlling the device, network connectivity, or user identity. Most SaaS used in a business is completely unmanaged, and the business does not control any of the typical enforcement mechanisms.
This poses unique challenges that the industry is beginning to recognize. With the steady stream of new applications coming online all the time, an honest review of SaaS security program maturity can help organizations better understand the risks they knew existed but perhaps didn’t understand. not entirely.
This article originally appeared in Forbes, an American business magazine that features articles on finance, industry, investing, and marketing.