SaaS applications and what they mean for security management [Q&A]
The move to using SaaS applications has been accelerated by the pandemic, with many businesses turning to the cloud to enable their staff to work remotely.
But this raises new issues around keeping the business secure. We spoke to Shailesh Athalye, vice president of compliance at security and compliance platform Qualys to discover more about the issues and how to approach them.
BN: Why are SaaS applications more difficult to manage securely?
SA: SaaS applications help teams collaborate more effectively, particularly as more people are working remotely during the global pandemic. As users adopt them for business processes, SaaS apps hold and manage sensitive data and access to it.
However, unlike IaaS and PaaS where security teams are involved in bringing them in and getting them ready for production use, SaaS apps can be brought in by business users and security teams are not involved. The biggest challenge today for security teams is therefore getting visibility into all the SaaS apps that users have access to and share data through. Unlike other applications that can be centrally managed, each SaaS application provides its unique model for access and data control. This makes it more challenging to manually track the security posture of each app.
Last but not least, the big picture of segregating authorized access from suspicious user activities requires not just SaaS app security data but correlated device data to see patterns and potential risk. This makes it very difficult to use point solutions on their own without a lot of manual work.
BN: How does SaaS application security fit into the wider security process?
SA: When you can get applications through simple sign-up forms or with credit card payments, it means that it’s easier to deploy these kinds of services without going through IT for procurement or support. While it makes life easier for those business teams, these shadow IT operations are harder for IT to control and keep secure. If you only rely on the default settings and security controls provided within each individual SaaS solution, this should be a big concern.
Many times, security teams are not aware or involved in these projects. Even for those security teams who are aware of and involved in their adoption, protection priorities can still be misaligned, incomplete or intermittent. If you don't pay attention to how your SaaS applications are being accessed and used over time, you can find yourself open to attack via a different route.
IT environments are moving to hybrid models of cloud, endpoints, mobile devices and SaaS applications. For compliance teams that have to include SaaS apps in their reporting, applying standard security policies around access control and configuration management is hard with automation. You should be able to provide insights into your SaaS app compliance posture at any point in time and show that these applications are fully compliant. Similarly, if your security teams are investigating any security incidents or suspicious activities, you should be able to correlate your findings across multiple tools or services to get that full picture across SaaS security, user activities and risk levels to carry out an effective investigation.
BN: What gaps exist, and how can these be improved and be consolidated?
SA: Cloud Access Security Broker (CASB) point solutions can provide further security and compliance, but they still don’t go far enough. While CASBs can intercept traffic and either allow or deny access, this normally doesn't assess the profile of the device too. It's important to take a defense in depth approach, combining knowledge of your users, their roles and their access to SaaS applications. This should be a continuous process in order to provide full protection. Life over the last year has led to fluidity in work patterns, keeping things secure involves tracking those problems and stopping issues before they become risks.
More often than not, businesses have adopted multiple SaaS applications at once -- Zoom for video conferencing, Slack for instant messaging and Google Drive for file storage and collaboration, for example -- but how can the IT Security team keep this under control and managed? Putting together an ongoing inventory of SaaS applications is hard enough, and then protecting each individual application across the entire enterprise is a nuisance to keep on top of and issues will be missed. Instead, IT Security teams need centralized management within a single console in order to comprehensively monitor access privileges for applications and data, alongside more traditional endpoint detection and response approaches that can look at weaknesses and other potential attacks.
BN: What needs to change and how will improving things like context and automation help?
SA: Automation and visibility are the key areas for improvement here. You should be able to detect SaaS application security requirements such as multi-factor authentication settings to check that they are being applied properly. Secondly, you can identify potential data exfiltration opportunities such as data shared with external users.
Getting all the information in one place makes life easier for your IT Security team. Having a single console with data on all your SaaS applications provides a continuous inventory of all files containing sensitive data, a granular list of users with access to that data and visibility into third-party apps that may have potentially dangerous permissions enabled. All of this data can be correlated with other data such as network location, vulnerability alerts on the device and endpoint detection and response alerts. As a result of this, your IT Security team should be able to unify their approach to data, so you can prioritize and respond to suspicious activities if they come up.
BN: The enterprise everywhere approach has also led to a greater reliance on mobile devices, what risk do they present to wider IT security?
SA: As employees continue to use business applications and access sensitive data from their mobile devices, businesses need to consider how these critical assets can be adequately protected. As security teams have been more focused on assets present inside traditional organizational boundaries, attackers are taking advantage of lesser security controls among Android, iOS and iPadOS devices as an entry point into the larger corporate networks.
If you can compromise a device, then you can access any critical data present on that corporate mobile device. However, it doesn’t end there, as attackers can try and move laterally inside the corporate network to gain access to more data.
Traditional vulnerability scanning approaches for mobile devices rely on the employee to regularly connect the device to a VPN or the organisation’s network in order to detect vulnerabilities. Mobile Device Management (MDM) also falls short with a lack of flexible patching and its ‘policy-based prevention’ fails to assess device or application vulnerabilities.
The number of vulnerabilities and exploits for mobile devices is growing, and vendors are releasing updates fixing those problems all the time. Security teams can no longer perform the job of mapping application updates to vulnerabilities manually, as it slows down the process of remediation.
BN: How can mobile device security be improved in light of this?
SA: The same continuous approach to security and visibility is needed for mobile assets. You need to know that these devices exist and you have to monitor their connections constantly, which isn't possible if you are reliant on a device connecting to a VPN or company network. Instead, you need real-time visibility of all those mobile devices with a detailed inventory of hardware and software information such as firmware, OS, location, network and more.
Once critical vulnerabilities are found, the patches and updates need to be automatically correlated for security teams to define the path of response -- if to apply new updates or take stricter 'over-the-air' actions such as locking the device, restriction on connection to corporate network till device posture is within acceptable risk threshold. Continuous monitoring should also be used to assess vulnerabilities and security weaknesses against industry standards and a comprehensive vulnerability database.