A Guide to SaaS Security

The rapid adoption of SaaS services has led to the two-pronged threat of identity attacks and the hijacking of critical SaaS tools leveraged to run the digital enterprise — from HR to IT, from factories to finance, the enterprise runs on SaaS.

SaaS security is not only consistent with overall enterprise security; it is entailed by it. This is because SaaS is leveraged to access and control everything else, including production and security SaaS, IaaS systems, repositories, and business-led SaaS. The best practice approach to SaaS security is oriented at the identity level, contextualized to relevant SaaS identity risk, and results in closed security gaps.

Identity-centric: Given the interdependency of identities and SaaS, securing SaaS is most effective when oriented around identities — the only available corporate asset in a continuous relationship with the SaaS service.
Identities use SaaS services directly, so it is important for security to begin with identities that can then be channeled into safe relationships with SaaS today and SaaS yet to be deployed.
The objective of SaaS security solutions is universal identity protection throughout the enterprise SaaS layer. To begin, organizations must find all identities in SaaS relationships. This includes historic user accounts with potentially dangling access or credential exposure.

Contextual risk analysis: One of the most valuable outcomes from SaaS discovery is the ability to look back through time to capture SaaS identity risks from 10+ years of user-SaaS relationships — from the first observed interaction to the present day. Consequently, companies can quickly remove a decade of risk with better awareness of SaaS services, users, groups, tenants, and policies taken from real-world usage.

Close security gaps: After initially removing accumulated risk in the enterprise SaaS layer, many organizations leverage their SaaS security program to identify security gaps in access control as well as user access reviews and authentication methods (IdP, OAuth, OIDC, passwords, etc.) across all SaaS services, users, groups, and tenants.

The key starting point for SaaS security is identity, and SaaS risks only get larger when identity security is ignored. If compromised, one identity can be used to access dozens of other SaaS services, many of which are used to operate critical functions of the enterprise — from HR to finance to engineering and DevOps.

Identity security for SaaS services is equivalent to protecting the cockpit door of a Boeing 787 — unauthorized access is non-negotiable. By universalizing security controls at the identity, security teams can get the result of secure identities and access without directly controlling the SaaS service. Business-led IT can thrive while at the same time hardening identity protection.

‍

The enterprise SaaS layer is diverse, multi-faceted, remains the largest shadow ingress, and comes with an outsized impact — because identities sprawl, duplicate, and are exposed to compromise across hundreds of SaaS relationships.

And what is more, the enterprise SaaS layer is where identities are repeatedly under attack with continuous phishing, smishing, and vishing schemes and credentials remaining the top attacker target.
We can see, then, enterprise security depends on mitigating SaaS identity risk because of the outsized impact to control of the digital enterprise via SaaS services and the relentless bombardment of attacks against identities.

‍The Impact of SaaS Breach Cyber-attacks and SaaS breaches have been well-documented in recent reports, from the 0ktapus threat campaign of 2022 to the phishing, smishing, and vishing schemes that impacted Twilio, Plex, Dropbox, Signal, Uber, and Digital Ocean, among others. What is less well-documented is how to prevent these attacks in the first place.
SaaS security teams must aim to increase the threat actor's cost by making the SaaS service layer inhospitable and costly, becoming an unattractive target.

Identity-dependent SaaS breaches. Understand identities and SaaS connections, acceptable and justified use, and analyze authentication methods to gain visibility to the global identity fabric in contact with SaaS services.

Mitigate identity risk - attack paths. Neutralize threats by foreclosing the opportunity to obtain credentials or gain unauthorized access to SaaS services. Although many business-led SaaS are outside the control of IT and security teams, identities can be secured and safeguarded by policies carried into existing and new SaaS connections. By enforcing strong standards of authentication, credential strength, and justified use, the security team can protect identities while allowing the use of unsanctioned SaaS.

Offboard unnecessary SaaS identity risk. Finally, eliminate attacker opportunities by destroying credentials and moving to on-demand, secure SaaS access. Identities are the primary focus for all cyber-attacks, including more than 83 million credential attacks per month targeting corporate identities. Remove the unnecessary risk of overly permissive and dangling access for former employees, contractors, and shadow accounts.

By annihilating credentials, security teams can thwart attacker attempts to compromise the enterprise SaaS layer — turning each identity into a moving target with double-blind credentials on continuous rotation.

SaaS adoption by enterprises of all sizes and industries is a natural corollary of their ongoing migration to the cloud. Many trends have led to an unprecedented reliance on SaaS that, paired with targeted attacks against identities and credentials, punctuates the serious threats to unguarded SaaS services. This has consequently generated demand for meaningful SaaS security outcomes that vendors have yet to meet—let alone offer concerted best practices for CISOs to safeguard identities across the SaaS service layer.

Time and again, CISOs express the same concerns: identity, visibility, complexity, and cost.

Identity. For more than a decade, identities and credentials have remained the top target for cybercriminals and threat actors. With the rise of SaaS services and the advancement of business-led IT strategy, the global identity fabric has expanded and grown mostly out of sight. Identities and credentials are targets, and the targets are growing.

Visibility. While many organizations have adopted business-led IT strategies and encourage bring-your-own-app (BYOA) to enable user choice, visibility across the enterprise SaaS layer has become more challenging. Simply knowing which SaaS services are being used and how SaaS is being accessed can seem out of reach for most security leaders. 
Consequently, security leaders are often unaware of identity sprawl as the natural outcome of SaaS sprawl, where nearly 3-out-of-4 credentials are duplicates, with over 100 duplicate passwords per user, on average.

Complexity. Most organizations today operate in a complex environment that includes multiple operating systems, diverse, multi-faceted SaaS services, along with security tools, dashboards, and portals. Operating these technologies requires various skills and disciplines to deploy fragmented protections with multiple “owners” across IT and security teams — if the controls exist.

Additionally, many organizations must deal with challenges like ad-hoc integrations, API maintenance, and skills spread across silos.
Cost. The cost to secure identities and SaaS connections has become a $23 billion industry (Gartner, 2022). Most organizations have redundant identity providers, single sign-on, MFA, and directories. 

Additionally, many SaaS services charge for SSO-enabled versions of their app (SSO tax). Many of these costs went unnoticed when first introduced but became more costly and complex with the rise of business-led SaaS and modern work.

Implementing SaaS is a core component of digital transformation, the integration of digital technologies into how a company operates to help them become more agile, respond to the market faster, and reduce costs.  The transformation touches nearly every aspect of IT, from the network infrastructure to the applications used by employees on a daily basis. One notable difference from technology transformations of the past is that much of the transformation is business-led and not dictated by IT or security teams.  
‍

Security teams and leaders are unable to keep up with the growth of SaaS services that run our digital organizations. This makes it clear that IT and IT security leaders must adopt a governance and risk mindset that aligns with modern work.
SaaS security is unique because of the velocity of new SaaS being adopted, the decentralized purchasing decision process, and the ever-broadening scope for SaaS to operate business functions and technologies.

The term “DISCO” is an acronym for the key aspects of effective SaaS security: discover insight, secure access, continuous assessment, and orchestration. Security teams can see the results as milestones moving toward the goal of on-demand identity protection whenever and wherever SaaS is consumed.

Discover. Capture, graph, and identify SaaS use and identity risk throughout the enterprise SaaS layer — business-led and IT-delivered SaaS services and apps — uncovering use history, authentication methods, weak credentials, duplicate passwords, and rogue or abandoned SaaS services. Through identity-based discovery, security teams gather a true picture of SaaS usage as it happens.

Insight: Prioritize SaaS identity risks based on context, accounting for key facets of SaaS capabilities and current mitigations against compromise. This may produce a lower score if controls like SSO are enabled or use justification is documented. Also, risk scores increase when users consume SaaS with critical control functions, like code repositories, production system control, or SaaS-delivered security tools.

This is the inherent risk of the SaaS factored with the presence of risk mitigations (or lack thereof). Insight signifies the need for relevant, actionable SaaS risks to prioritize what matters most beyond “sanctioned or unsanctioned”.

Secure: Universalize identity security with strong credentials on continuous rotation — turning SaaS identities into moving targets for attackers. Users get easy login and adaptive safeguards for all SaaS types, and security teams can respond to secure identities in the wake of SaaS compromise, phishing campaigns, or risky SaaS services or functions entering the environment. By securing identities first, security programs have the ability to remain adaptive and flexible to SaaS changes because the identity is secured regardless of the SaaS in use.

Continuous: As mentioned, change happens. Newly discovered SaaS comes into the environment, decommissioned SaaS needs user offboarding, former employees leave the organization, and identities change roles and job functions. These are just some of the changes that happen every day. 6 out of 10 SaaS apps will “churn” every two years. With change being continuous, security must be as well. Continuously monitor and detect changes to the SaaS environment, including how identities access and use SaaS services.

Orchestration: Finally, make use of existing controls, technologies, people, and programs by orchestrating security for the distributed identity fabric. Automate SaaS security and leverage playbooks, including onboarding, offboarding, sanctioning, and applied protections like SSO. Respond to SaaS risk insights, leveraging integrations for policy enforcement, governance, risk, and compliance.

By following these general practices to discover, analyze, and act on SaaS identity risks, security teams can enable secure protection for identities relevant to their organization, adaptive to change and integrated with their existing controls.

SaaS security is key to effective risk management in most modern enterprises. Unfortunately, this model can also expose companies to risk. When different departments or teams use a range of different SaaS applications, a business can end up with SaaS cyber security gaps and risky practices like weak passwords or shared credentials. Since SaaS tools are cloud-based and internet-accessible, you can’t control access to the enterprise perimeter in the same way.
For SaaS security, there are a set of best practices CISOs can implement that can help companies embrace digital transformation and balance their risk management policies with the business objectives.

Implement Proactive New SaaS Discovery 

Employees today want to use the best app to get their job done, which means they will acquire SaaS apps independently.  The monitoring must occur across all of the devices employees use for their work, regardless of whether they are using a VPN or ZTNA access method.  
Traditional security products fall short in SaaS discovery because they require network traffic analysis or endpoint agents.  Newer SaaS security platforms do a far better job of constant discovery by using discovery methods that work no matter what device the employee is using or what access network they are connected to.  ‍

Automate SaaS Business Justification‍

Once SaaS is discovered, a process to evaluate the risk is needed.  The first step in this process is for the user to inform IT/security of the business need for the SaaS app and the type of data that is going to be used in the app.  This can be achieved through an automated survey that is sent out to the user.
The sheer volume of SaaS usage in an enterprise makes this impossible without automation.  Once the risk level is assessed, IT/security can then enforce the appropriate policies.  The efficacy of this process depends on comprehensive detection. 
‍

Enforce Identity and Access Management (IAM)‍

Most companies use an IdP or an SSO solution and officially have a policy that when a SaaS app supports one of those two, the employee should be using them to access the app.  Having employees use IdP to create accounts provides IT/security teams with centralized visibility and access control.  

Despite the official policy, many employees use logins and passwords.  Knowing and enforcing the IAM method is important because IT/security teams can centralize SaaS risk control.  Traditional SaaS security products are not able to provide this type of data, whereas newer SaaS security platforms are.  Furthermore, not all SaaS apps support an IdP or SSO integration, so IAM enforcement using traditional SaaS security products is just not possible. 
‍

Require Multi-Factor Authentication ‍

Multi-factor authentication (MFA) enhances SaaS security by requiring users to identify themselves with more than just a username and password.  Most SaaS apps support at least two-factor authentication, which should be required.  The challenge for security teams is to identify SaaS apps that do not support MFA and stop users from using them.  SaaS security platforms are able to do this and automate the reporting of this capability.
‍‍

Prioritize Single Sign On Integration‍

Single Sign On (SSO) helps employees be more productive and reduces the number of usernames and passwords that could be compromised.  It also provides an audit trail of SaaS app access, which is required for compliance and security certifications. Adding an app to SSO does not happen automatically and can be expensive due to SSO licensing costs.  IT/security teams benefit greatly by knowing which SaaS apps are used by the most employees and have the greatest risk. This information cannot be obtained using traditional SaaS security products. 
‍

‍Monitor Sharing of Accounts‍

Sharing SaaS accounts among multiple users is one of the greatest risks.  If one employee were to leave the company, the remaining employees would need to change the password, and this is an inconvenience, which means there is a good chance that this will not happen. Sometimes sharing does make business sense, though, and a process is required to ensure that the account is secured with any changes in personnel.  SaaS security platforms can monitor the sharing of accounts and even reset passwords for everybody if needed.  

Remove Dormant (Zombie) Accounts

The ease with which SaaS accounts can be created means that employees likely have more accounts than they are aware of.  In many cases, they may be testing something out with a free trial or stopped using an app once they discovered a better one. Each of these dormant accounts is a potential attack vector or could store sensitive, confidential company information.  Newer SaaS security platforms are designed to discover and secure dormant SaaS accounts, and this is something that should be done on a regular basis.  

Enforce Password Policies

When a SaaS app does not support a company’s IdP or SSO, the only option is a username and password.  The problem is that most users will reuse passwords across multiple apps, and they do not regularly change them.  

Using password managers is viewed as an option, but employees often do not follow the password strength and change guidelines.  A better approach is to remove the need for usernames and passwords and handle them using a SaaS security platform.  This helps extend IdP or SSO policies to all SaaS apps and implements a consistent risk management strategy.  

There are no silver bullets when it comes to SaaS security.  Many of these items are things that are commonly known.  Detecting SaaS applications is the critical first step.  After that, the challenge is being consistent and implementing automation to reduce the chance of human error.  

Newer SaaS security products were designed specifically for the SaaS environment and can help companies achieve their SaaS security objectives.  

Growing complexity requires security and risk teams to wade through an assortment of tools and technologies, but many of these traditional technologies are ill-suited to the two-pronged concern of identity and SaaS hijacking. Given their origins in network-based architectures, traditional security controls are hard to adapt to this new reality, so a new architectural model for security is needed.

“Increasingly, business-critical operations are performed via SaaS services, existing entirely outside the corporate network, making traditional controls ineffective. New controls are needed to address these new realities.”

- Gartner, 2022

Security leaders repeatedly express the same concerns about their overall cloud security exposure and risk, and in 2023, visibility, risk, and access control remain the top challenges.

‍Cloud Security Posture Management (CSPM)

A automated data security solution category that manages monitoring, identification, alerting, and remediation of compliance risks and misconfigurations in cloud environments. One of its most critical functions is the continuous proactive process of enterprise-wide asset visibility, configuration assessment, and transformation to reach a target security state.

Cloud Infrastructure Entitlement Management (CIEM)

Typically used to monitor and manage account entitlements across user accounts to cloud infrastructure (IaaS), cloud infrastructure entitlement management (CIEM) identifies dormant and unnecessary entitlements on user accounts and enables remediation and enforcement of least privilege security approaches. One of its most critical functions is identifying excessive entitlements by continuously monitoring the permissions and activity of human and nonhuman entities related to IaaS, both for the public and private clouds.

Cloud Workload Protection Platform (CWPP)

A workload-centric solution for securing application targets with unique protection requirements, often as a translation of protection schemes migrating from on-premise application controls. Workloads in modern cloud environments can include physical servers, virtual machines (VMs), containers, microservices, and serverless workloads. One critical function for CWPP is the combination of system integrity protection, application control, behavioral monitoring, and optional anti-malware from some vendors.

Cloud-Native Application Protection Platform (CNAPP)

A solution with an integrated approach intended to consolidate key functions of cloud security tools such as configuration and posture management as well as cloud workload protection capabilities. 

Additionally, CNAPP functions as a unifying solution across siloed capabilities, including container security, infrastructure as code scanning (IaC), infrastructure entitlements (CIEM), runtime workload protection (CWPP), and monitoring cloud security posture (CSPM). One critical function for CNAPP is improving developer and security professional effectiveness and collaboration, shifting security controls left and right throughout the cloud application lifecycle.

SaaS Security Control Plane (SSCP)

An identity-based architectural element commonly leveraged to discover SaaS services and user-SaaS relationships, identifying risky access controls, malicious or abandoned SaaS services, credential exposures, and accumulated risk throughout the SaaS service layer. 

One critical function of SSCP is unified visibility and control over SaaS services, leveraging identities as the primary enforcement point in user-SaaS connections, including automating offboarding for SaaS services, SaaS users, or any combination of the two. 

SSCP is typically part of a broader enterprise security strategy, complementing capabilities such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), identity and access management (IAM), and cloud access security brokers (CASB).  ‍

‍

SaaS Security Posture Management (SSPM)‍

A solution for continuously assessing security risk for specific SaaS applications, generally related to 10-20 SaaS services per organization. Typically, SSPM follows the implementation of SSCP in most cloud security programs. SSPM’s core capability includes reporting on configuration failures or exposures within SaaS services, managing authorization, and insider threat indicators. Some SSPM solutions offer optional benchmarking, compliance comparisons with security and industry frameworks and auto-reconfiguration for SaaS permissions.‍

‍

SaaS-Delivered IAM‍

Also known as identity and access management as a service (IDaaS) or IAM as a service, this tool set is a subset of identity management and identity governance solutions, deployed as a service instead of on-premises, or IaaS hosted services. 

One key function for SaaS-Delivered IAM is the ability to provide single sign-on (SSO) access control and governance, typically via secure assertion markup language (SAML) or OAuth access authentication controls. Optional functions for privileged access management (PAM) and customer identity and access management (CIAM) help to add value to SaaS-Delivered IAM tools.

Grip created the world’s first SaaS Security Control Plane (SSCP). Grip SSCP enables organizations to consistently protect their SaaS-identity fabric while avoiding the complexity of multiple point products (such as traditional CASBs, SWG, web proxies, and agents), significantly simplifying security and protecting the enterprise SaaS layer — identity first.

Grip captures and graphs users, SaaS services and apps, groups, and tenants — including authentication methods and usage with 10+ years of history. Prioritize remediation with SaaS insights and identity risk indexing throughout the SaaS service layer, including missing controls like SSO, policy dodging, and use justification. 

To secure the SaaS-identity fabric, visibility and awareness are critical. Grip gives security teams on-demand insights into SaaS use, misuse, and abuse by continuously discovering SaaS as users in the wild consume it, regardless of network status, device, or location —all without proxies or agents. 

When SaaS providers experience a breach, Grip empowers customers to instantly see if and where they are affected and secure identities exposed to a compromised SaaS service. Grip’s continuous discovery delivers relevant, actionable insights to pinpoint risks and identity threats anywhere in the enterprise SaaS layer. Eliminate threats that matter based on accessibility and impact of each SaaS app’s inherent risk and validate access and secure authentication for each user of the impacted SaaS service.

Grip’s open integrations enable security programs to tame their SaaS and identity challenges with unified controls leveraging SaaS identity risk insights and one-click automation to realize security outcomes for all SaaS — past, present, and future.