Why SaaS security needs to have a higher profile [Q&A]
Increasing numbers of apps are moving to an SaaS model and containers, but the security of these applications doesn't always get much attention.
We spoke to BetterCloud CEO, David Politis who believes that SaaS security is an area that businesses need to take much more seriously.
BN: We hear a lot about typical cyber breaches, but less about SaaS security. When did this become a problem for companies?
DP: SaaS security has been an issue going all the way back to the beginning of software-as-a-service. Businesses were hesitant to move to the cloud back then because the idea of their data residing in another location other than in their own data centers seemed high-risk. SaaS vendors focused intensively on securing their customers’ data; they understood that a major data breach could lead to their business shutting down because customers would flee.
And you're absolutely right. You hear about big cyber breaches perpetrated by external attackers -- Equifax, Target, Home Depot, etc. -- and much less about SaaS threats, which can originate externally or from within by employees.
The SaaS landscape today is much different than when I entered the space in the early 2000s. We've reached an inflection point with the pandemic. Companies more than ever rely on SaaS applications to keep employees productive. Yet most companies are unprepared to handle the work that managing a full SaaS stack involves -- from tasks like onboarding an entire workforce to making sure data remains within company walls.
BN: There's been an explosion of SaaS applications and services which has made everything more complex. What are companies doing to protect their data within these?
DP: The SaaS software stack has grown -- and continues to grow -- exponentially. That has made IT's job of managing what users do with them much more complex.
The beauty of SaaS is that it's unlocked new levels of productivity. Employees today can work from anywhere from their phone. They can collaborate on Google Workspace, Slack, Salesforce right from their sofa. But this freedom is a double-edged sword. Employees often don't understand the security implications of deploying company data or assets in the cloud. They unintentionally -- and sometimes intentionally -- share files, emails and even passwords with employees who shouldn’t have access or, even worse, they share them with people outside the company.
The vulnerabilities created by incorrect settings and mistakes with SaaS application have mushroomed beyond IT's ability to manage them. As a result, we've seen the rise of a practice called SaaSOps. It involves a set of disciplines, processes, technologies, and people -- all aligned to properly manage a company’s SaaS stack. The intention is to continue to reap the productivity benefits of using SaaS applications, while keeping company assets safe and secure.
IT and security teams work together more closely than ever to address SaaS security. In most companies, the security team relies on IT to implement the policies to respond to threats. This dynamic environment calls for high degrees of collaboration between the two departments to protect critical assets, while enabling access to the technology that organizations need to fulfill their missions and stay competitive.
BN: Has this problem worsened during the pandemic?
DP: It's definitely worse today than before the pandemic. Last year's events triggered a massive exodus to remote work. That was a watershed moment for SaaS adoption and a profound catalyst for changing how people work. This move to remote and hybrid -- or flexible work, as some are calling it -- represents the tipping point in SaaS adoption. Companies achieved outsize productivity gains with SaaS before the pandemic; without SaaS, companies simply could not have shifted their entire workforce from offices to homes. But they struggled to replicate the same level of security that company headquarters could provide.
I've met with over 100 customers in the last 100 days to gauge how they are adapting to the current situation. Many customers emphasized the importance of SaaS as a means to enhance the employee experience, and the need for more automation. But, one of the biggest takeaways was that file security has become mission-critical.
Just recently we surveyed more than 500 IT and security professionals -- and examined internal data from thousands of organizations and users. We released a SaaS data security report which confirms that file security is a top priority. We see that companies are not investing enough in SaaS file security even though file security violations are rampant. Findings showed that security violations have spiked 134 percent, just to give you a sense of the critical point we’ve reached.
BN: Many more security tasks fall on the IT team's plate today, what has prompted that shift?
DP: The nature of SaaS has blurred lines between IT and security. Historically it was IT that managed the SaaS application stack -- and they still do -- so it's natural that managing the security side of things would fall under their purview.
That's why the SaaSOps movement is coming into play now, and the reason why IT and security teams are increasingly aligning and collaborating. We're finding that the topic of SaaSOps, and the capabilities we offer, are top of mind for senior IT leaders because they lack the visibility, auditability, and control of the collaboration and productivity suites they provide their employees. Solving this is key. It's the stitching that makes SaaS adoption successful. SaaS needs its own practice and team.
BN: Given this area of security gets less publicity, there seem to be fewer 'best practices' for companies to follow, what can businesses do to prepare?
DP: First, defining your SaaSOps policies. What are your rules around onboarding/offboarding, file sharing, lost devices, compliance, etc.? What would a policy violation -- and remediation -- look like? This foundation is crucial.
Second, run audits and review your SaaS apps. You may uncover policy violations you need to share across departments.
Third, share knowledge and collaborate across departments as much as possible. That's a common theme we hear every year at our customer conference Altitude. IT knows all the compliance requirements, so they can see how new tools can help with that.
For example, to build a robust off-boarding policy in BetterCloud, you'll need input from legal, HR, etc. The more complex your SaaSOps environment gets, the more you'll need to work with other departments. If you understand other people's workflows, you can get a budget for tools more easily, demonstrate credibility, and break out of your IT silo. Learning how to work with other departments and then forming alliances may be the number one best practice -- crucial to managing this challenge.