Why SaaS needs a holistic approach to security [Q&A]
As organizations move more of their systems to the cloud they face a new range of threats. This combined with a shortage of cybersecurity skills makes securing SaaS systems a challenge.
Galit Lubetzky Sharon, co-founder and CTO of Wing Security, believes that a new more holistic approach, involving employees across the organization, is needed. We spoke to her to learn more.
BN: What are some things all organizations should understand (but may not) about SaaS security?
GLS: SaaS (Software-as-a-Service) security is not a new concept. Still, it is often overlooked and not always protected properly, leaving many organizations vulnerable to attacks. SaaS security is no different than other security practices that organizations put into place, but what they often miss is how weaknesses in SaaS security truly impact companies -- from external data sharing to risky applications and blind spots (commonly known as Shadow IT). As a result, organizations are at risk without fully understanding what to look for when securing their SaaS environments. Here are three things companies should pay attention to:
- Blind Spots: Organizations need a reliable workflow to quickly assess all applications while gathering information on what and how SaaS applications are used. The number of security practices organizations need to implement, and the number of applications and data moved around a company is at an all-time high. With all these moving parts, vulnerabilities and risks will fall through the cracks. Therefore, it is vital to have a system that can isolate and analyze each application and have complete visibility and understanding of each of your SaaS applications.
- External Data Sharing: File sharing is both a necessity and convenience in business nowadays, but employees need to think of all the files, repositories and data that have been shared for years and that are still being shared. Companies must also implement tools that streamline the monitoring and regulation process for data collaborations with people outside the organization. This enables leaders to revoke unnecessary and risky shared resources in just a few steps.
- App2App-Related Threats: App2App connections are necessary for a smoother workflow and better SaaS service. The challenge here is that SaaS applications often communicate sensitive information and data between them. App2App connections, left unattended to, can potentially lead to lateral movement into your organization's data. It's therefore important to make sure SaaS environments are clean, updated and unnecessary or unused apps, tokens and permissions are removed.
BN: What is your best advice for leaders looking to improve SaaS security in their organizations?
GLS: When looking at an organization's SaaS security, I advise leaders to look at how they can support their security teams and look for holistic solutions that work seamlessly without being too intrusive or inline. Security teams can only see and do so much. A solution that can automatically jump in and help remediate any suspicious activity while continuously discovering, classifying and controlling your environment is critical for SaaS application security. With that, organizations' leaders need to be able to assess their SaaS landscape quickly and easily, along with gathering pertinent information such as how, what, and when new SaaS apps are being used. This will help gain deep visibility into the state of the company’s SaaS security and manage it to the fullest extent.
BN: What are the biggest SaaS threats organizations potentially face? How can they combat these threats ahead of time?
GLS: As security leaders, it would be nice if we could predict the future and know what risks and threats our company faces. Unfortunately, we do not have that luxury; instead, we can understand what threats our organizations can potentially face and plan accordingly.
SaaS threats can look very different depending on your environment. Companies often succumb to attacks when they assume that all vendors put comprehensive security procedures into their product and that it is secure. Even when this is the case, it is not enough to ensure security. Another thing we see pretty often is organizations not correctly onboarding applications. This can lead to several issues for an organization, including if users ‘accept all’ and begin using the application without a complete understanding of what data is being exposed and what other applications are now working in the background for this app, bringing in unwanted vulnerabilities the team wouldn't know exist.
While there is no crystal ball to see what threats your company could potentially face, there are many things you can do to prepare and protect the company ahead of time. Since attacks in the SaaS domain are an increasing phenomenon, I recommend first to have visibility on the apps being used all the time, understand the security level and implications of these apps, and then automate the recommended remediation to make sure that the gaps are mitigated as fast as possible. Organizations should begin with leveraging a discovery and automatic remediation tool that allows teams to know all applications they are using, so you can react quickly to situations if they occur and catch any risks and vulnerabilities at the start without compromising your company’s time.
BN: How can leaders leverage their existing resources to help combat potential threats?
GLS: I’m sure we're all familiar with the cyber skills shortage and frequent lack of resources to progress cyber initiatives, which puts a ton of pressure on security teams tackling existing and emerging cyber risks. Instead of putting more on their plates to pick and choose which issues are more dangerous than the rest, I think a lot of companies overlook how the rest of their employees can be leveraged to help security teams combat threats.
It's not uncommon for security leaders to think that employees are the weakest links in cybersecurity due to little background knowledge and natural human error. However, I'd argue that employees today -- many of whom grew up with the ability to work online and interact with a bunch of connected technology -- comprehend organizational security challenges more than, say, a decade ago. And, with the rising number of monitoring and remediation tools, a new security paradigm is emerging where end users don’t have to be a liability, but a strength.
Companies can start leveraging their employees by involving them in securing the SaaS applications they use and familiarizing them with security tools that only require a minute of their time, every now and again. While CISOs are responsible and security teams should maintain full visibility and control over security processes, some tasks like revoking tokens, permissions or shared data can be given to the employees who best know the business context of the apps they choose to use. Employees who already understand their own apps and who can identify anomalous behavior will be invaluable allies in preventing and counteracting cyber threats.
BN: Security is evolving and so are security teams, what should the modern security team look like?
GLS: A company's cybersecurity is no longer this siloed responsibility reserved only for IT administrators and teams with very specific and technical job titles. Since almost everyone, from company executives to new hires, uses company technology and SaaS applications, individuals across all organizational levels can (and should) start to play a more prominent role in security.
If we want to paint a picture of a modern security team from top to bottom, let’s start with C-suite. Leadership sets the tone for the organization by being knowledgeable of technology risks and allocating appropriate resources (personnel, defense technology and company-wide training time) to invest in improved security posture. Next, there’s the security personnel, the experts who take on the most intricate responsibilities of creating defense systems that can remediate security alerts, managing upgrades and strategically planning for security initiatives.
Too often, security is perceived as the 'blocker': don't do this, can't use that… Security teams should have continuous tools for ongoing visibility and remediation that will allow them to react quickly. With the proper solutions in place, security can allow employees the usage of almost any SaaS they want and need, so that they are no longer the blockers but rather the enablers.
To support security teams in crossing t's and dotting i's, there are the employees. As the primary users of company applications and SaaS solutions, employees should have access to remediation technologies so that they can help identify and fix suspicious technology or application activity that they may encounter during an average work day. This is where it is important to call out the importance of having innovative SaaS security platforms. As SaaS application use rapidly grows, organizations need to leverage solutions that provide visibility into employee SaaS use as well as automatic remediation for the security issues that they find. Having these capabilities will bolster your company's line of defense and improve the efficiency of security for every level of the modern team.