SaaS applications are proliferating, making up the largest cloud spending sector: Gartner predicts the segment will reach $122.6 billion this year. Many CISOs have adjusted their security approach to account for the growing adoption of SaaS solutions, but others are still playing catchup. Companies focused on on-premises or network-based security controls are at risk.
Decentralized IT Requires Enterprise SaaS Security and Governance
Shadow IT isn’t a new problem, but the pandemic accelerated adoption of SaaS solutions that are accessed outside company boundaries. Many cloud providers support IP whitelisting solutions, but the increasing risk of employees making direct connections to the cloud and bypassing the office network underscores the need for security. In addition to the data security implications, insufficient security can also create compliance problems.
To address these issues, IT professionals should consider a checks and balances approach that uses a cloud-ready IT architecture, defines good governance practices, and acknowledges the shared responsibility with cloud providers. This enables business users to use the cloud in a safe and responsible way.
The following three tips can help CISOs support the business with more effective SaaS security:
1. Enable the business with a modern IT architecture. The first step is to review your risks and controls and move traditional security mechanisms from the on-premises company network to cloud-ready solutions. For example, endpoints should be well protected outside the company network using cloud-native solutions that help enforce critical security controls, including patch management, configuration management and endpoint protection.
Additionally, it is key to ensure secure access to SaaS solutions. Security functions like multifactor authentication, access management, federation and other checks and balances need to be in place before employees use cloud solutions.
Cybersecurity should be a business enablement function because employees need to connect to the cloud to maximize their efficiency. By moving security measures from local networks to the cloud, IT delivers significant business value.
2. Assemble a multidisciplinary team to define good governance. In the old days, IT was in charge of creating the IT environment. Now, business owners often start their own ecosystems and define their governance rules. CISOs can better protect their company's precious assets by assembling a team with expertise in information technology, security, legal, compliance and privacy (and other areas as appropriate) to define governance rules for the enterprise. The team can revise governance using a risk-based perspective, creating detailed policies describing the required checks and balances for authorizing new cloud solutions. Evaluate the current processes to see how the review of SaaS solutions can be best embedded (the review could be triggered by the central procurement department).
One thing to keep in mind is that SaaS providers standardize offers to appeal to a broad market and companies can use that to their advantage. In reviewing cloud providers, ask for security assurance documentation or certifications. Alternatively, consider using standard material, such as from the Cloud Security Alliance. It’s also a smart idea to elevate security awareness across the company, securing buy-in on the governance effort.
3. Understand the shared responsibility model. It’s critical to understand exactly how security duties are segregated between the SaaS provider and the SaaS consumer so that nothing falls through the cracks. The underlying platform is typically managed by the SaaS provider whereas functions like user management, data and application configuration are the responsibility of the SaaS consumer.
SaaS Is Hot, So SaaS Security Is a Must
The right governance model and architecture will vary according to industry, compliance requirements, the company’s business strategy and other factors. The goal is to align IT’s strategy with the overarching business strategy, but in any governance framework, it’s crucial to clearly define the roles and responsibilities in ensuring SaaS security.
The business case for the cloud in general and SaaS solutions specifically is extremely strong, which is why demand is growing so quickly. For some CISOs, adapting to SaaS demand has been a challenge, especially given all the pressure of the last year with the shift to remote working. The good news is that SaaS companies have also matured, and when companies find the right vendor, the SaaS environment can provide a significant security upgrade and take some of the pressure off IT.
It’s important to keep in mind that security is a core component of IT’s business enablement mission. That’s why it’s so critical for CISOs who have relied on on-premises measures in the past to upgrade and modernize their security measures to align with new realities, which includes the widespread availability of SaaS solutions that business owners can obtain without IT oversight. With the right checks and balances in place, companies can ensure users have access to the tools they need and keep data secure.
Eric Kaasenbrood is the Chief Information Security Officer of Unit4, a global enterprise cloud application developer, with over 10 years of experience in information security.