The shift from on-premises applications to SaaS-based applications has been rapid and expansive for many businesses. While these applications are effective in helping people do their jobs, they also introduce significant security challenges that relatively few enterprises fully recognize. The potential for, and likelihood of, data exfiltration increase dramatically as companies and business units allow access to assets such as Slack / Teams channels, Google Drive folders, Github Repositories among others with contractors, partners, customers, prospects and others that all reside outside the security perimeter.
In response, security vendors have offered perimeter solutions that help companies manage those who are looking for access to their corporate SaaS applications. But these solutions don’t continue monitoring those users once they are inside the SaaS applications, including tracking how users are accessing and sharing data. The SaaS applications themselves have security controls and features to help users proactively manage access to each given application, but those controls and features are inconsistent across apps, they are extremely complex to administer across a large organization, and they’re useless if the individual user doesn’t exercise the mindfulness to employ them.
With that starting point, let’s look at the three essential capabilities an effective SaaS security platform should provide that meets the needs of both Security/IT personnel and the SaaS users themselves, on the business side of the enterprise.
SaaS Asset Management
At the moment, asset management is a concept more closely associated with endpoint security and cloud infrastructure than it is with SaaS security. But we’re changing that, because any IT or security admin trying to perform asset management within SaaS applications will quickly find it to be an impossibly tedious, manual process of compiling data. So the first step of SaaS security has to be gaining complete understanding of what you need to protect.
To create a baseline, the SaaS security platform must provide full visibility of what is likely an extensive inventory of relevant information, including:
- SaaS applications
- Internal users
- External collaborators
- Third-party OAuth applications
- Centralized audit logs
- User activity
- Data exposures
- Data ownership
If you ask the typical IT or security admin how many people have access to their company’s data via SaaS applications, they may have a guess, but very few will actually have an answer. And chances are their guesses will be underestimates, sometimes by as much as an order of magnitude. But companies need to be fully aware of every entity -- individual or organization, internal or external -- that has access to their corporate data.
Such access may be granted directly from a sharing link generated by an employee, or it may be enabled indirectly via a third-party OAuth application. In either case, most companies have no idea how much access exists that allows external collaborators and third-party providers to exfiltrate their data, and they don’t know how much of this access stretches back in time to projects or other engagements that have concluded either recently or long ago.
Continuous Monitoring
Understanding the company’s data access behaviors provides the foundation companies need to minimize their SaaS exposure. Third-party risk management depends on it, but there are additional reasons why this information is so important. Compliance audits may require such information, and there may be cases in which these inventories are key to security investigations and other forensic matters.
In order to gain and maintain this visibility, companies need to be looking across the entire array of SaaS applications to understand where and when anomalous activity may be occurring. For the typical medium-to-large enterprise that is utilizing dozens of SaaS applications regularly and whose workers are engaging in anywhere from 50K to 5M SaaS activity events every week (including downloading, uploading, sharing, deleting, and more), trying to wrangle this in a decentralized way is all but impossible.
Successful monitoring starts with consolidation of events and logs across all the different SaaS applications in a centralized data warehouse. Companies also need categorization of users and personas in concert with this consolidation in order to recognize patterns in sharing activity and facilitate informed decision-making around data access.
Continuous monitoring is the only way companies can maintain compliance with security policies and sustain vigilance of the risks of breach via unwarranted SaaS application data access. By generating an exhaustive SaaS asset inventory and establishing a baseline for accessing of assets and by instituting continuous monitoring to look for suspicious data access activity, IT and security teams, as well as employees throughout the company, can take informed action, both retroactively and proactively, to remediate situations where data access is deemed to be unwarranted.
Automated Security Workflows
In far too many companies, the default behavior for many Security and IT teams now is to perform infrequent (at best) analyses of their individual SaaS applications. They also might check anomalies on an ad hoc basis. Instead, they should be relying on the SaaS security platform to update access to data within their SaaS applications to address the routine and inevitable changes the business experiences:
- Employees who are leaving the company
- External vendors or partners with whom the company has concluded business
- Data or files that have been shared publicly or externally but no longer should be
For mid-sized and large businesses, understanding both the number of external access via SaaS applications that has been created and how quickly business requirements change can make it painfully clear that managing this data access manually is completely infeasible. The only alternative to sticking one’s head in the sand and pretending the problem doesn’t exist is to engage a SaaS security platform that can automate data access enforcement workflows and centralize their orchestration. This essential capability gives IT and Security teams the time and bandwidth to focus on more than just chasing down external sharing links and the workers who enabled them to verify these links are still essential to the company’s business.
Further, the effective SaaS security platform enables not only the IT and Security teams to control data access; it empowers end users to take quick, decisive action when sharing permissions need to be changed. It’s the end user -- the individual employee -- who best understands what external access to company data is necessary and by whom. The platform must make it possible for the employee to take a holistic view of sharing access an external party or a departing colleague has and change those settings without going into each SaaS application individually to update permissions. This may include shutting off data or file access when access is no longer needed or white-listing an external party with whom the company is currently doing business.
An effective SaaS security platform empowers the Security and IT teams to create flexible policies that balance protection with business requirements, addressing many familiar issues:
- Internal users’ access and data-sharing rights for each SaaS application
- External users’ access to files/data within each SaaS application
- Time limits for access to files/data, determined by the system or user-provided access
- Restrictions on easy data-sharing options, confining such access only to those who need it as part of their day-to-day job responsibilities
Automated workflows quickly apply policies that can monitor and change the access settings that workers establish inside SaaS applications. Workflows can include automated check-ins through Slackbot to verify that the employee intended to share data externally. They can place expiration dates on sharing links, and they can provide visibility into unusually large migrations of data initiated by users -- sharing and/or downloading of documents -- that could indicate unwarranted data exfiltration.
Automation is the key element to attaining the 80/20 rule: When automated workflows address 80 percent of the company’s exposure of it’s SaaS data access, IT and security teams are given the invaluable resource of time to attend to the remaining 20 percent of sharing links and other higher value job responsibilities.
DoControl was designed to meet all these requirements
When we designed DoControl, we considered all of the needs just described -- and many more. Our SaaS security platform offers what no other platform can: End-to-end automated monitoring and management of access to limit the SaaS application exposure faced by today’s large corporations. We encourage you to explore our website to learn more about DoControl and get in touch with us to see how we can help your organization.