Chris Hughes
Contributing Writer

Why you need a SaaS governance plan, and what should be in it

17 Aug 20217 mins
Cloud Security

The rapid proliferation of authorized and unauthorized software-as-a-service solutions presents significant security risks. Now is the time for a strategy to manage those risks.

Credit: Thinkstock

SaaS adoption is far outpacing IaaS consumption. Despite that, organizations are focusing almost exclusively on infrastructure security. They must also consider a SaaS governance plan that implements security measures to reduce risk associated with their SaaS usage. That plan includes a combination of compliance frameworks, documentation/due diligence and technical measures for ongoing monitoring and risk reduction.

Much of the security discussion around cloud adoption focuses on infrastructure-as-a-service (IaaS)/platform-as-a-service (PaaS) providers such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud, and for good reason. Organizations have experienced tremendous growth of IaaS adoption and seen countless security breach headlines associated with IaaS misconfigurations.

However, the risks that poorly implemented and secured SaaS present have been neglected. Gartner predicts SaaS will remain the largest public cloud market segment, and that prediction came prior to COVID-19, which facilitated an unprecedented SaaS boom. Furthermore, organizations typically tend to use only a few IaaS providers, such as the big three cloud service providers (CSPs), while consuming many more SaaS offerings. A 2020 study from Blissfully found that large enterprises use as many as 288 different SaaS apps, with small- to medium-sized businesses (SMBs) using more than 100.

While your organization may have started to mature its IaaS security, the same likely isn’t true for the more expansive and diverse SaaS landscape. This reality also makes shadow IT usage of SaaS providers much more prevalent than IaaS providers, due to the large array of SaaS offerings in the marketplace and the ease with which you can consume them, often with as little as a credit card.

A study conducted by Zylo found that organizations are adding, on average, ten SaaS offerings to the enterprise per month and IT only directly manages 25% of them. That is a lot of unmanaged SaaS risk. Despite this exponential growth in SaaS usage, a study by AppOmni found that only 32% of respondents employ any type of tooling to ensure data security in SaaS.

Despite this widespread SaaS adoption, why do organizations continue to focus almost exclusively on IaaS security concerns? Some of that is due to misunderstanding the shared responsibility model and assuming in a SaaS environment the CSP is responsible for everything. The other factor is that security teams are simply struggling to keep pace with their organizations’ cloud usage and with the fallout from widespread high-profile IaaS data breaches.

Major IaaS providers offer clear certification and learning paths, ensuring professionals can learn how to secure their platforms and attest to that. SaaS doesn’t offer that same scenario. As security professionals, we must continue to evolve, and SaaS security is ripe for maturing to the point where it can begin to mitigate this enormous amount of unaddressed risk.

An approach to SaaS risk

Implementing security for SaaS usage should be data driven. This means looking at the internal data that the SaaS offering has access to, the level of access within your enterprise, and the potential security and regulatory ramifications if that data was to be inadvertently exposed or maliciously compromised. This is especially true with today’s geographically dispersed workforce where individuals access data from everywhere, often from their own devices.

The first step in the process is capturing what SaaS your organization is using. Depending on the organization’s maturity and technical architecture, this could be a manual inventory management process or require technical tools such as cloud access security brokers (CASBs), which can help identify shadow SaaS use.

When organizations start to put security rigor around their SaaS usage, they tend to take two approaches. One focuses on security frameworks such as SOC2, PCI and FedRAMP as well as documentation review. The other focuses on technical assessment, hardening and ongoing monitoring. The ideal approach involves a bit of both as discussed below.

Frameworks, documentation and reports

When organizations begin to vet SaaS offerings for their organization (ideally prior to purchasing and implementing them), it tends to involve popular frameworks such as SOC2, CSA CCM and STAR/CAIQ, or FedRAMP.

SOC2 has increasingly become a popular option for SaaS providers, since it helps to validate a company’s internal controls related to security, availability, confidentiality, integrity and privacy. Another popular option is CSA’s Consensus Assessment Initiative Questionnaire (CAIQ), which documents what controls exist in XaaS offerings and is tied to CSA’s Cloud Controls Matrix (CCM), a cloud specific security control framework. On the public sector side, the Federal Risk and Authorization Management Program (FedRAMP) is widely used as a way to authorize cloud service offerings (CSOs) for government consumption and uses NIST 800-53 security controls.

Organizations often do and should ask for these certifications becaue they often include a third-party assessment organization (3PAO) process where a third party verifies that the SaaS organization and its offering meet a specific level of security rigor. This gives your organization a level of assurance that the SaaS offering isn’t fully insecure and that the organization is doing basic security activity around its own infrastructure and how they handle and store customer data.

The choice of which frameworks to use largely depends on the industry the organization is operating in as well as the maturity of the SaaS vendor. Given these frameworks can be time and resource intensive, newer SaaS vendors usually don’t pursue the certifications until they have matured a bit and their customers have asked for them. There is also the reality that due to the exponential number of SaaS offerings in the market, some of the major compliance programs simply haven’t kept pace, such as FedRAMP.

In cases where the SaaS vendor doesn’t have a certification or audit, or even if they do, and the data you will use them for them is highly sensitive, you may wish to dig into their documentation and other criteria to vet their suitability. This could include results from internal or external pen tests (which often require an NDA) and discussions around architecture, authentication, encryption and much more. These additional activities help give your organization a level of assurance related to the risk of using a specific SaaS offering.

Technical SaaS coverage/capabilities 

While frameworks are a great start in terms of vetting SaaS offerings, it is just a start. You should also consider technical controls, configurations and monitoring as part of your SaaS governance strategy. Each SaaS offering comes with myriad unique features, configurations and settings, most of which your staff will be unfamiliar with from a security perspective.

Enter SaaS security posture management (SSPM) tools, which monitor your SaaS application’s security posture. Some of the most popular SSPM tools are AppOmni and Obsidian. These vendors support some of the leading SaaS offerings such as Box, GitHub, Salesforce, and Slack.

They have crafted secure configurations, security scanning, best practices and recommendations for helping organizations harden their SaaS usage. Many of these offerings leverage industry resources where possible, such as CIS Benchmarks for SaaS offerings including Microsoft 365 and Google Workspace, which both can contain sensitive data and communications.

These hardening efforts can help protect your organization from prevalent security concerns such as account compromise, insecure configuration, compliance, and access management. They can also help with incident response. This is incredibly valuable, as your workforce likely doesn’t have the specific security insight and expertise needed for each of your SaaS applications. SSPM vendors constantly add more SaaS offerings to their coverage and depending on the size of your organization, you may be able to help shape their product roadmap to cover SaaS that is widely used in your organization.

In addition to technical security concerns, organizations must also be concerned with compliance in the SaaS paradigm. Remember that shared responsibility model? It still applies here.

Platforms such as AppOmni can help automatically enforce critical compliance controls related to widely applicable frameworks such as PCI, HIPAA, GDPR and NIST. It’s untenable for an organization to maintain continuous compliance with these frameworks across potentially hundreds of SaaS apps, and this is where technical solutions to augment those efforts can really shine.

Chris Hughes
Contributing Writer

Chris Hughes currently serves as the co-founder and CISO of Aquia. Chris has nearly 20 years of IT/cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a civil servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an adjunct professor for M.S. cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry working groups such as the Cloud Security Alliances Incident Response Working Group and serves as the membership chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast. He holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications. He regularly consults with IT and cybersecurity leaders from various industries to assist their organizations with their cloud migration journeys while keeping security a core component of that transformation.

More from this author

Exit mobile version