SaaS is a pivotal element of digital transformation, which involves integrating digital technologies into all areas of a business to enhance agility, accelerate market responsiveness, and reduce operational costs. This transformation impacts nearly every facet of IT, from network infrastructure to the daily applications used by employees. Unlike past technology transformations, much of today's change is driven by business units rather than IT or security teams, presenting unique challenges.
As SaaS applications proliferate, security teams often struggle to keep pace with the rapid expansion of services that power digital enterprises. This situation underscores the necessity for IT and security leaders to embrace a governance and risk management approach that aligns with the realities of modern workplaces.
SaaS security is unique due to the rapid adoption of new services, decentralized decision-making processes, and the expanding scope of SaaS in managing critical business functions and technologies. The acronym "DISCO" encapsulates the essential components of an effective SaaS security strategy: Discover, Insight, Secure Access, Continuous Evaluation, and Orchestration. By adhering to these principles, security teams can achieve significant milestones toward the ultimate goal of providing on-demand identity protection wherever and whenever SaaS is utilized. Let's explore each in more detail.
Discover
Capture, graph, and identify SaaS use and identity risk throughout the enterprise SaaS layer — business-led and IT-delivered SaaS services and apps — uncovering use history, authentication methods, weak credentials, duplicate passwords, and rogue or abandoned SaaS services. Through identity-based discovery, security teams gather a true picture of SaaS usage as it happens.
Insight
Prioritize SaaS identity risks based on context, accounting for key facets of SaaS capabilities and current mitigations against compromise. This may produce a lower risk score if controls like SSO are enabled or use justification is documented. Conversely, risk scores increase when users consume SaaS with critical control functions, like code repositories, production system control, or SaaS-delivered security tools. The result is the inherent risk of the SaaS factored with the presence of risk mitigations (or lack thereof). Insight signifies the need for relevant, actionable SaaS risks to prioritize what matters most beyond “sanctioned or unsanctioned” status.
Secure
Universalize identity security with strong credentials on continuous rotation turning SaaS identities into moving targets for attackers. Users get easy login and adaptive safeguards for all SaaS types, and security teams can respond to secure identities in the wake of SaaS compromise, phishing campaigns, or risky SaaS services or functions entering the environment. By securing identities first, security programs have the ability to remain adaptive and flexible to SaaS changes because the identity is secured regardless of the SaaS in use.
Continuous Evaluation
Change happens. Newly discovered SaaS comes into the environment, decommissioned SaaS needs user offboarding, former employees leave the organization, and identities change roles and job functions. These are just some of the changes that happen every day. Multiple sources cite that 6 out of 10 SaaS apps will “churn” every two years. With change being continuous, security must be as well. Continuously monitor and detect changes to the SaaS environment, including how identities access and use SaaS services.
Orchestration
Finally, make use of existing controls, technologies, people, and programs by orchestrating security for the distributed identity fabric. Automate SaaS security and leverage playbooks, including onboarding, offboarding, sanctioning, and applied protections like SSO. Respond to SaaS risk insights, leveraging integrations for policy enforcement, governance, risk, and compliance.
By following these general practices to discover, analyze, and act on SaaS identity risks, security teams can enable secure protection for identities relevant to their organization, adaptive to change and integrated with their existing controls.