Imagine this scenario:
You have valuables in your house.
and
You live in a neighborhood known for break-ins.
and
You haven’t taken any significant security measures.
WHAT?!
What are you waiting for?!
If your organization uses SaaS systems like Google Workspace, Slack or Zoom to store or share important business data, and you haven’t yet put serious thought into your SaaS security… well, then, it’s good you’re reading this post.
What is SaaS Security?
SaaS security is the protection of the data, identities, configurations and app connections in your cloud-based software from unauthorized access, misuse and corruption.
As SaaS applications become the primary means of accessing and sharing data, they become an increasingly tempting target for bad actors, making SaaS security absolutely essential.
6 Top SaaS Security Threats
1. Over-permissions
It’s so easy to share data assets over SaaS application. Just click “share”, specify to whom you want to give viewing or editing permissions, click “Save” and voila: instant access for the party shared with!
This simplicity is by design; SaaS apps are intended to simplify collaboration and streamline workflows. But bound up in that benefit is the danger of over-sharing and too-wide permissions. “Anyone in the organization can view.” “Anyone with the link can view.” The chances of a user carelessly giving unintended access to a party that shouldn’t have it are high. So high that in an end-of-2023 analysis of our client base, we found that the average large organization had 35K assets containing sensitive data shared publicly.
2. Phishing and other social engineering attacks
Access credentials are the key to SaaS user accounts… and all the permissions and privileges had by the users. For this reason, credentials and identities are one of the primary access methods used by bad actors when it comes to SaaS. That makes attempts to steal access credentials, like phishing attacks and social engineering strategems, a primary strategy. And the better email and messaging providers get at identifying phishing-type emails, the more creative phishers get in their attack delivery and execution.
3. Misuse of legitimate (or once-legitimate) access
The power of access credentials for misuse extends to those users who are the legitimate owners of those credentials! Often this happens when a user no longer works for or with the organization, and they should really have had their access revoked, but no one took care of it. We’ve seen former employees access company assets up to two years after leaving the company!
Employees can even go bad while they’re still working for a company, and decide to use their authorized access for unauthorized purposes, like personal financial gain or a desire to harm the organization. Because these insiders are supposed to be within the SaaS environment, it is much more complicated to catch and identify them as harmful actors.
4. Proliferation of connected apps
If there’s an app for that, someone probably decided it would be useful in their work within your SaaS environment. This turns into a problem when:
- Your IT or information security team doesn’t know about it or has lost track of it
- The app has more permissions than it really needs for its function
Over-permissioned shadow apps can easily and quietly turn into leaky SaaS data faucets.
5. Widespread integration of generative AI
AI is the newest, coolest kid on the block. Which means you need to learn more about it and its risks before you let it loose on your SaaS apps and assets. You need to know how generative AI can expose sensitive data even if it follows your access permission settings. You need to know why user laziness is a top security pitfall with AI - and how to combat that with effective security education. Basically, AI can be a great advantage - as long as you go into it with your eyes wide open.
6. Dependency on vendor security
When you use SaaS applications, your security is subject to the Shared Responsibility Model. There are some security responsibilities you have, and some that your SaaS provider has. This makes life a little easier on you - but also increases your risk, because there are things that need to be done to secure your sensitive data that are out of your hands. If your SaaS vendor doesn’t live up to their responsibilities, or misses something (even through no fault of their own), and gets breached - you may pay a price.
The same goes for third-party vendors. Quite a few recent data breaches have been chalked up to a third-party provider being given access to SaaS apps or systems, and then neglecting or making a mistake in securing that access.
The Importance of Implementing SaaS Security Best Practices
Losing your SaaS assets or access has both immediate and long-term ramifications. A primary category of negative ramifications are financial consequences, both direct and indirect:
- footing the cost of breach remediation and recovery
- loss of strategic advantage if strategy or IP is leaked
- penalties for failure to comply with regulatory standards like GDPR and HIPAA
Other common negative consequences include legal action and reputational damage.
For this reason, doing the reasonable utmost to prevent SaaS threats from becoming realities is the logical and sane thing to do.
11 Key SaaS Security Best Practices to Implement
1. Make access credentials hard to crack or brute-force
Strong passwords.
Multi-factor authentication.
You know you should require them, right?
Right.
And you do require them, right?
Uhhh…
There are too many organizations that have been breached due to a failure to enforce strong passwords and multi-factor authentication on Every. Last. Account.
Don’t let your organization be another one.
2. Check for (and fix!) any SaaS misconfigurations
Your high-level security settings are your low-hanging security fruit. Make sure you compare your SaaS configurations to required or recommended industry standards (e.g. CIS, NIST Zero Trust, etc.) and adjust any places where your configurations deviate.
Configuration security isn’t a one-off. Multiple factors, such as updates and app interactions, can cause your secure configurations to change. So SaaS configuration security necessitates continuous monitoring to make sure that your secure configurations stay secure.
3. Assess data sensitivity accurately
You can’t protect the sensitive data in your SaaS systems when you haven’t identified it as sensitive. And with millions of assets in the typical organization’s SaaS ecosystem, this isn’t something you can check manually. Sensitive data discovery and classification tools are necessary - but the frequency of false positives and false negatives that occur with many tools and methods can lead you astray. Make sure you have advanced, context-sensitive data classification tools.
4. Keep your asset permissions as narrow as possible
You don’t need the entire population of your country to have a key to your house. Likewise, you almost never need SaaS assets to be available to “anyone with the link”, or even “anyone at the organization.” There are exceptions, but for most organizations they are few and far between.
The wider your permission scopes are, the larger your SaaS attacks surfaces grows. Any wide permission scopes should be granted after serious thought, and certainly not as a default.
5. Ensure thorough offboarding for both internal and third-party users
Just like you shouldn’t give asset and application access to users who don’t need it, you shouldn’t leave access with users who don’t need it anymore (even if they did once upon a time).
Former employees. Previous partners. Contractors who have finished the project they were hired for.
If there isn’t a concrete reason for them to still have access to any given asset or application, revoke it. Like too-wide permission scopes, retained access just increases your SaaS attack surface with no benefit to you.
6. Monitor for behavioral anomalies
What about those users who ARE supposed to have access to assets and applications? Your accounting department users need to have access to assets containing financial information and PII - they wouldn’t be able to do their job otherwise! So how are you supposed to tell if a legitimate user is doing illegitimate things with their access?
Well, you watch what they do.
Monitoring user behavior, comparing to behavioral benchmarks for that user and others like them (e.g. same department, same role), and picking out behavioral anomalies is the process by which you catch insider threats. Make sure you have an insider threat detection and response (ITDR) solution that can do that effectively.
7. Bring business context into your evaluations of insider threat
Often, in order to pick out activity that is truly a suspicious anomaly (and not just a variation in business needs or roles), your ITDR solution will need to take business context into account.
Is the user about to leave the company? That awareness could point to seemingly normal asset interactions (like downloading files or sharing them with personal accounts) actually being red flags that should be investigated.
Is the user a contact person for an external organization that is investigating your company (e.g. M&A, auditing)? That awareness could point to otherwise suspicious asset interactions (e.g. sharing sensitive financial information with third parties) as being normal and necessary business activity.
8. Involve your end users in remediation processes
Sometimes insiders are threats not because they mean evil, but because they don’t know enough or don’t think enough about actions before taking them. Education is the key to the first issue, and real-time education (i.e. when the user is actually taking the action) is the key to the second.
Implement a SaaS security remediation solution that will not only fix risky actions taken by users, but will let them know about the problem and, ideally, get them to fix the problem themselves. This involvement puts security awareness front and center in the user’s consciousness, and lets them know that your organization takes it seriously.
9. Be on top of your connected apps
The wonderful world of third-party OAuth apps, integrations and add-ons: it’s what makes SaaS so useful, productive and… risky. After all, your risk of a break-in goes up with every additional housekey you give to someone.
OAuth apps are the most problematic when:
- You don’t know about them
- Their permission scopes are wider than they really require for their business function
- They were used at one time, but not anymore
- A breach outside your organization compromised OAuth tokens for an app, but you didn’t rotate them (this often happens when you don’t know about, or forgot about, the app in question)
The solution to all of the above is keeping careful track of every third-party OAuth app connected to your SaaS environment. Step one is knowing that the app is there. Step two is knowing if the app should be there - or if all its permissions should be there. Step three is revoking whatever access is unnecessary.
10. Aim for near real-time detection and alerts
SaaS moves fast.
SaaS threats move fast.
Your SaaS threat detection needs to move just as fast in order to be effective.
While it would be nice to prevent risky activity from happening before it takes place, it’s not relevant for SaaS, because it would require a data “tollbooth” (usually referred to a proxy- or agent-based system) that can’t operate at the speed and scale of normal SaaS activity.
The closest you can get (without jamming up your SaaS workflow and defeating the whole point of SaaS) is an event-based system that identifies risky activity immediately after it occurs. At that point, action can be taken to reverse the risk before it can become an actual threat.
11. Use automated workflows
Near real-time detection of risk is only useful if you can act on it in real time. Alerts that sit in the message queue of your information security team member may be seen and addressed too late to be helpful. Effective SaaS security requires some level of automated response to detected risks. The automation needs to be granular and targeted so that it can prevent threats without disrupting workflows and blocking productivity.
How to Choose a Secure SaaS Provider
The foundation of SaaS security is choosing SaaS applications from providers who take security seriously. As mentioned above, SaaS security is predicated on the Shared Responsibility Model, so make sure your SaaS provider appreciates and takes their share of the responsibility!
Here are several (although by no means a thorough list) of important things to look into before you settle with a SaaS provider:
Check what regulatory standards they comply with
What regulatory standards apply to your organization and its data? GDPR? HIPAA? ISO/IEC standards? Make a list and then make sure that your SaaS provider complies with/is set up to comply with those standards.
The SaaS provider should not just state that they comply with the standards, but actually provide proof in the form of independent third-party evaluation and certification, much as Google Workspace does here.
Make sure they encrypt your data
If bad actors would somehow breach your SaaS provider, you don’t want your data to be handed to them on a silver platter. Make sure your data gets encrypted, both in transit and at rest. End-to-end encryption is ideal.
Check the levels of permissions they offer
Different SaaS providers offer differing levels of granularity when it comes to data access governance. Google Workspace, for example, offers three basic options of access permissions (Edit, Comment, View), whereas Box offers seven.
The greater the granularity of access permissions, the greater your ability to achieve true least privilege access. At the same time, more options can confuse end users, leading them to choose the wrong level of permission or to just pick the broadest level of permission.
Take your data access governance needs and the savviness of your users into account when deciding which SaaS provider to go with.
FAQ
How often should SaaS security be audited?
SaaS security should be audited annually, with quarterly vulnerability scans for ongoing risk detection. Continuous monitoring for real-time alerts is essential, and post-incident audits are necessary after security breaches. Audits should also follow any significant system changes or updates. Compliance with industry-specific regulations may require more frequent audits (e.g., GDPR or HIPAA).
What is the role of encryption in SaaS security?
Encryption in SaaS security protects data by converting it into unreadable code, ensuring confidentiality both in transit and at rest. It safeguards sensitive information from unauthorized access, prevents data breaches and helps meet compliance requirements for privacy regulations.
How can SaaS providers ensure data protection?
SaaS providers can ensure data protection by implementing encryption, strong access controls, regular security audits, continuous monitoring and data backup. Adhering to industry regulations (e.g., GDPR, HIPAA), conducting vulnerability assessments and employing multi-factor authentication further secure sensitive data, preventing unauthorized access and potential breaches.
Are there compliance standards for SaaS security?
Yes, compliance standards for SaaS security include SOC 2, ISO 27001, GDPR, HIPAA and PCI-DSS, among others. These frameworks ensure data protection, privacy and security controls, requiring SaaS providers to adhere to best practices in risk management, data handling and regulatory compliance to safeguard sensitive information.
Meet DoControl - The #1 Multi-Layer SaaS Security Solution
DoControl was designed to enable you to easily implement SaaS security best practices for the multiple layers and attack surfaces of SaaS: data, identities, configurations and connected apps.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your SaaS ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your user identities, protecting you from external threat actors or insider threats. Behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Crack Down on SaaS Security
Knowledge is power - and now you have the knowledge you need to power your implementation of SaaS security best practices. You know what’s at stake, and you know what to do to keep your SaaS assets safe.
We wish you safe and secure SaaS - and we’re here to help you attain it.