SaaS has become the standard path for many organizations in how they consume business applications. Data from Productiv, which makes software to help companies manage their app spending, showed that the average company used 342 SaaS apps in 2023.
In addition to quantity, the ways in which organizations use SaaS products complicates efforts to protect sensitive data and protect against data breaches. Organizations make choices based on their industry, requirements, goals, regulatory mandates, etc. All of this means that there is no one-size-fits-all SaaS security checklist that is one-size-fits-all.
However, SaaS security best practices and strategies can be applied in most situations. Some best practices to consider include the following.
1. Discover and inventory applications
One of the things that makes SaaS so compelling is how easy it is to operate. This ease is a blessing and a curse at the same time. New users can easily start using a tool, creating situations where app usage can go from a small number of users to significant usage almost overnight.
These adoption dynamics complicate SaaS management. A survey of IT professionals for BetterCloud's “State of SaaSOps 2023” report found that up to 65% of SaaS application usage is unlicensed, a strong indicator that the shadow IT tradition is still alive and well.
To detect which SaaS applications are being used, a company may use automated and manual methods. In addition, it is wise to develop strategies for how to collect and validate usage data. You can, for example, combine optimizing your SaaS inventory with other data collection activities being performed. You can choose to do business impact analysis – for example, collecting information about application usage and relative priorities for business continuity purposes – or collect evidence for an audit response as mechanisms for gathering information about SaaS applications in the environment. As you collect information, add data to a running inventory or playbook associated with the business use of these SaaS tools.
2. Implement single sign-on
Finding and recording usage information is helpful, but you also need strategies that self-enforce the safe results you want. One particularly illustrative example of this is single sign-on (SSO).
From a user perspective, one of the biggest issues facing SaaS can be the spread of identities across the different business applications being used. A user may have dozens of username and password combinations; This is stressful for them, but it also creates administrative challenges and security risks, such as users sharing passwords across services or employees writing their own passwords.
Some SaaS providers offer the option to integrate with a third-party identity provider, such as Active Directory or Microsoft's Entra ID. They are typically supported through federation mechanisms, including Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). Although these features are valuable in and of themselves, they also aid in discovery. Not having to remember yet another username and password combination is directly beneficial to the end user – so much so, in fact, that users can help push for this functionality in cases where it doesn't exist.
This push to support SSO from the user community is a good thing because it identifies SaaS usage that the security team may not be aware of. It also ties together authentication constraints – for example, MFA and password complexity parameters – as well as extending the login scope to the SaaS domain.
3. Enable multi-factor authentication
One of the main mechanisms for enabling MFA is by unifying a user's identity with the existing identity provider used internally. However, this is not the only way. Some SaaS applications do not support single sign-on directly—for example, via SAML or OIDC—but nonetheless allow the option of MFA through one or more supported mechanisms, such as time-based or one-time password or text. In situations where multi-factor authentication (MFA) is supported, leveraging this feature and implementing it across the user base can also be valuable.
4. Veterinary examination and supervision
Just as you review and validate vendors from a supply chain perspective, it is important to evaluate SaaS providers and applications. You want to understand the usage of the application, as well as who is using it and for what business purpose, as well as the security profile of the vendor. Learn about available security features. For example, are there optional data protection and privacy capabilities? Also understand the underlying assumptions built into the product about the usage protections on your side of the shared liability fence.
5. Employ data encryption
Most channels used to communicate with SaaS applications use TLS to protect data in transit. Many SaaS providers offer encryption to protect data at rest as well. For some providers, this is a default feature; For others, it must be explicitly enabled by the client. If this option is selected, it is a good idea to enable data encryption features. If your providers don't offer encryption, tell them this is the feature you want to add.
6. Consider CASB
Depending on your security requirements, you may choose to evaluate tools and controls that help extend your security requirements to the cloud. In the context of SaaS, consider cloud access security broker options. Using a CASB tool, an organization can layer in additional controls that are not provided on-premises by the SaaS provider. For example, a CASB can provide better information about who is accessing the tool, better monitoring of usage and better data protection. Pay attention to CASB deployment modes: TLS 1.3 has increased the complexity associated with some agent-based models, while API-based modes, in many cases, require support from the SaaS provider itself, meaning the provider you choose may not support every product . In the market.
7. Consider SSPM
Another option is SaaS security posture management. SSPM is similar in some ways to cloud security posture management. With CSPM, you can more effectively ensure that a specific security model is applied across multiple cloud deployments. SSPM enhances efforts to ensure security policy is established and implemented globally across SaaS platforms. SSPM tool vendors have translated the defined technical policy objectives into the native configuration of different SaaS services; They can then query these services to ensure that your configuration is in the desired state. And they warn you if this is not the case.
8. Maintain situational awareness
As always, monitor SaaS usage. Examine data from internal tools, including CASB if you use it, as well as any logs or other information provided by service providers, to see where and how you are using SaaS.
It's important for IT and security leaders to understand that a SaaS offering is a powerful tool that requires the same degree of security as any other enterprise application. By adopting these SaaS security best practices along with systematic risk management procedures and ongoing security assessments, organizations can ensure their SaaS is used safely by users and maintain usage protection.
Editor's Note: This article has been updated and expanded to include changes in cloud security best practices since its original publication in 2021 and to improve the reader experience.
Ed Moyle is a technical writer with over 25 years of experience in information security. He is currently the Head of IT at Drake Software.