SaaS platforms face a number of challenges inherent in cloud services. There are four main security challenges for SaaS:
1. Decentralized platforms and applications
In the past, organizations stored and managed applications and data on-site, giving IT and security complete visibility and control. These same departments often choose the applications used by the entire organization. Any changes to the status quo usually require lengthy approval of the management and provisioning process.
Now, the ease of deployment and low initial cost has made it possible for many users to get SaaS applications on-premises budgets. These cloud applications fall outside the scope of IT or security, creating a “shadow IT” problem. Surveys have shown that there can be more than 32 different SaaS application invoice owners in an average-sized company.
The main problem with shadow IT in SaaS security is that executives – not well-experienced security experts – are responsible for ensuring their applications are configured to run effectively and securely.
But how many non-IT or non-security leaders are equipped to implement proper security settings, let alone understand the shared responsibility model?
The group that can help secure these applications—the IT manager, the information security manager, or the enterprise security team—may not be aware that these applications are in use. When these teams are aware of this, they often do not have the necessary access to monitor and manage
Applications.
2. Complex and custom configurations
An average-sized organization has more than 185 SaaS applications, each with hundreds of unique controls and settings that can be constantly tweaked and tweaked to customize functionality. Furthermore, every organization – and every group within an organization – has its own needs and challenges in securing SaaS.
Manually configuring these applications can be cumbersome for even the most experienced security teams. The sheer volume of SaaS applications and inconsistency in settings makes it impossible for security teams to be experts in every application.
Balancing functionality and security is like dancing on a tightrope. Once a SaaS application is customized to deliver the greatest value and custom functionality required for the team using it, the default settings do not provide optimal security and may conflict with compliance requirements.
SaaS applications also interact with other SaaS applications or internal systems. All of this makes it nearly impossible to detect anomalies and investigate vulnerable SaaS configurations across applications.
According to Cybersecurity Insiders' 2020 Cloud Security Report, enterprises ranked cloud platform misconfiguration at the top of the list of SaaS security challenges facing public clouds. The lack of qualified security staff has been cited as the biggest obstacle to protecting these environments. This combination can lead to breaches that could have been avoided if proper security configurations were in place.
3. Dynamic environments and user access
In dynamic business environments, anything and perhaps everything can change daily. In today's CI/CD (Continuous Integration/Continuous Delivery) world, SaaS security companies push code into production frequently, sometimes changing key functionality and interoperability – and often impacting security settings.
Employees and their business roles also change frequently, requiring new privileges for users. Security teams and administrators must have access privileges to make changes as the environment evolves.
The easiest way to ensure that the appropriate teams have the necessary permissions to support the environment is to allow broad access privileges. But SaaS security best practices call for limiting access privileges to only those who need them and revoking those privileges when they are no longer needed.
This simple concept can be difficult to implement. It can be difficult for managers to remember to lower a user's access level when a project is finished, for example, or for security teams to remember that increased access remains in place when it's time to provision a new user.
Over time, manually managed applications experience configuration drift as the consequences of changing settings become compounded. This configuration can expose data to internal and external threats.
4. Installation and management of shadow IT
Third-party integrations into SaaS applications can dramatically improve their functionality and capabilities but also increase the potential for inappropriate exposure.
AppOmni data shows that on average, there are more than 42 distinct third-party apps that connect to live SaaS environments on-premises. Worryingly, nearly half of them are connected directly by end users, rather than by IT or security administrators.
Many third-party security solutions can read, write, and delete sensitive data. They can also access user groups, workspaces, or multiple areas of the company network, including SaaS applications.
Multiple issues can arise with third-party apps, including uncertainty about knowing which apps have been approved, what permissions the app has, and who can install the app. It is also often unknown what users do with the data accessed by applications, since there is no comprehensive SaaS security monitoring platform.
