What is SaaS Security?
SaaS security is a set of architectures, processes, and strategies designed and implemented by companies to protect their data and other information stored or used applications delivered over the Internet as a service. SaaS often requires a subscription, but most applications offer a freemium version that allows users to use them with some limitations for free. Users acquire SaaS by creating accounts, which only requires a login and password.
What makes SaaS security unique from other security programs is the lack of control or ownership of any of the infrastructure or connectivity to the application. Unlike internal or privately hosted applications, the company does not control the servers, authentication method, network connection, and sometimes the endpoint (unmanaged devices). This means a multi-dimensional approach to SaaS security is required.
Identity and Access Management:
Companies can control the authentication method to SaaS applications as a method to discover and control access. Common products used for this method include single sign on (SSO), identity providers (IdP), and password managers. This method works well for core SaaS apps managed through an SSO but does not work well when users have an option to secure the SaaS accounts.
Endpoint Security:
Endpoint products allow companies to control what gets installed and used on a managed device. Some SaaS apps have download or integration options that allows them to use the app through an installed client rather than the browser. Endpoint products work well for managed devices; however, they are not able to secure SaaS apps or access from unmanaged devices.
Network Security:
Controlling Internet connectivity is an effective method to control SaaS access, and this is often done through a secure web gateway (SWG) and cloud access security broker (CASB), which are foundational elements of the Security Service Edge (SSE) architecture defined by Gartner. The challenge with network control is that it is not identity aware, meaning that alerts from this method cannot be triggered based on account creation or application usage. High volumes of false positives are a common complaint for this method.
SaaS Application Security:
SaaS applications themselves have vulnerabilities and misconfigurations are common attack vectors targeted by hackers. SaaS security posture management (SSPM) products analyze and monitor the SaaS application itself to ensure that they are secure. One downside is that the SSPM products require integration to work, and they do not support every SaaS application that might be used by employees
The modern approach is to leverage a dedicated architectural SaaS security layer designed for the unique requirements of SaaS. An effective SaaS security layer requires four key elements:
SaaS Discovery:
Comprehensive discovery is critical to understanding the apps that are being used by employees. An identity-based discovery method is the most effective. Compared to network-based discovery used by SWG/CASB products, an identity-based approach discovers up to 5X more SaaS applications.
SaaS Risk Prioritization:
Most companies will have hundreds or thousands of SaaS applications that they need to secure, and not all SaaS applications are equal in risk. Prioritization is critical to ensuring that the riskiest applications are being secured first. Risk prioritization should be based on company specific attributes such as number of users, speed of adoption, and data being used.
Securing SaaS Accounts:
Securing SaaS applications may be done in multiple ways. The application can be added to SSO, or users can be required to use an IdP or a password manager, which requires follow up and confirmation. If the employee does not comply, or it cannot be added to SSO, the SaaS account can be secured by locking the account so that the user cannot access it.
SaaS Security Orchestration:
SaaS security has multiple dimensions, so the actual securing of a SaaS application should be orchestrated across the various control layers: identity, endpoint, network, and application. This requires a specific SaaS security layer that is the foundational element of a SaaS security program that aligns with the SaaS security lifecycle. A SaaS security control plane (SSCP) is the best solution for this.
Related Blog Posts
A Guide to SaaS Security
SaaS Risk Management for SaaS Security
SaaS Security: How to Defend Your Organization's SaaS Perimeter