Everyone loves new data technology. Everyone, that is, except for the people whose job it is to secure it.
SaaS technology is no different. The average organization uses about 130 different SaaS apps (up from only eight in 2015), adding 20-30 additional apps per year. At this point, SaaS applications effectively power the majority of businesses in most industries.
This pace of adoption is an immense challenge for IT and information security, because SaaS security differs significantly from standard data security. How did data security traditionally work - and why does that not work for SaaS?
Let’s dive in and see.
Why Standard Data Security Methods Aren’t Effective for SaaS Security
Long, long ago, when important data was kept in on-prem servers, securing it was (relatively) easy. Just lock the door, or - even better - station a guard. As soon as data storage and use was connected by networks, and then interconnected in ways only rivaled by the human nervous system, data security became a very nerve-wracking job indeed.
Over time, relatively effective data security methods evolved, chief among them:
- Endpoint security
- Network security
- Identity security solutions
Endpoint security (e.g. EDR) secures entry points of end-user devices like computers or mobile devices from malicious attacks and vulnerabilities. This is usually accomplished by a combination of software and agents installed on the devices to monitor, block, and respond to risky activities and potential threats.
Network security (e.g. SASE) focuses on protecting the integrity, confidentiality, and accessibility of data and resources within a network. This method safeguards the network infrastructure itself through measures like firewalls, intrusion detection systems, and secure network protocols, rather than individual devices.
Identity security (e.g. IdP)protects data by managing and securing user identities and access privileges. They employ authentication, authorization, and user activity monitoring, focusing on who accesses data (and are they supposed to) rather than securing devices or the network infrastructure.
Unfortunately, none of the above methods are effective enough for SaaS security risks. Endpoint and network security solutions attempt to protect SaaS applications indirectly through monitoring and reacting to the devices and/or networks that are transmitting the information. But even corporate SaaS is often accessed by users on personal, unprotected devices and networks, such as an employee editing a corporate document on their mobile phone during their commute to work.
In addition, any inline security methods that require agents or proxies in between the different points on SaaS data’s route are inherently too slow for SaaS. SaaS’ widespread adoption is due to its promise to streamline workflows and increase productivity and efficiency. If you bog down the data workflow with an endpoint or network security that checks every guest at the door, SaaS can’t deliver on its promise. No-go.
Identity security solutions, such as IdP and IGA, do help manage general SaaS user access. However, the granularity and complexity of SaaS data permissions make it very challenging to be sure you’re giving the right access to the right person at the right time - all the time. Identity security solutions also have no visibility into the data itself and whether it could be risky for the data to be shared even by an authenticated user, leaving the door open to insider threats.
Insider threats also pose a challenge to network security solutions, since those insiders are trusted by the network and allowed to be using it.
In order to truly prevent a SaaS data breach, SaaS data security solutions need to have a deep understanding of SaaS data models. That’s something that endpoint, network and identity security solutions just don’t have. And without understanding, they can’t process SaaS data effectively and protect it in time - or protect it at all.
Why are SaaS Data Models So Important for SaaS Security?
Imagine that you’ve been hired as the head of security for a sprawling Amazon warehouse with hundreds of thousands of products. Your job: make sure no products leave the warehouse unless it’s for a legitimate order.
Now, you can’t hold up Amazon order fulfillment. So you can observe the employees and automated devices as they move around the warehouse, but you can only stop them if you have a reasonably-backed suspicion. How do you make sure you don’t miss real problems?
The key is a deep understanding of how this Amazon warehouse works. For example:
- What does each of the hundreds of employees do?
- What does each of the thousands of automated devices do?
- Who or what is supposed to interact with each product from the time it is delivered to the warehouse to the time it is sent out to a customer?
If you can answer every one of those questions confidently, then your chances of protecting the warehouse and its contents are good - even if all you can do is observe. Why?
Because if you see an employee passing through a corridor 10 times in one day, when usually she only passes through twice, you’ll have reason to suspect that something is off.
If you observe an IoT robotic arm packing products into shipping boxes, when its daily function is to pick products off warehouse shelves and put them on an automated cart, you’ll have reason to suspect that something isn’t right here.
With reasonable suspicion, you can then stop the person, device or product in its tracks and investigate. These instances in which you do stop the warehouse workflow will be so informed and targeted that you’ll be effectively keeping the warehouse secure without delaying Amazon’s fulfillment schedule.
Every Amazon warehouse, obviously, is going to be different. Different people, different processes. If you do such an amazing job at your first Amazon warehouse that you get promoted to oversee all its warehouses in one geographic region, you can’t just copy-paste your understanding of the first warehouse’s people and processes. You will need to develop a deep understanding of each warehouse in order to successfully secure them all.
And therein lies the importance of understanding the data model of each SaaS application you want to secure.
Variation in SaaS Data Models and Implications for SaaS Security
With all due respect for the complexity of Amazon warehouses, SaaS applications are much more varied in function and infinitely more complicated in design.
Let’s take an example of functions present in many SaaS applications: real-time collaboration and communication. Data changing and immediately visible in real-time is certainly something important to secure, and timeliness is key.
As with our warehouse, you can’t have security guards (which in SaaS apps would take the form of agent- or proxy-based CASB solutions) standing at the door checking every bit of data before letting it through. The whole benefit of real-time collaboration is that it is fast and efficient: a boost to productivity. If you slow it down, you lost the whole benefit.
The best you can do is observe the patterns of what is going on. If you have deep understanding of how real-time collaboration on this particular application, in this specific instance, is supposed to look, you’ll be able to identify anomalies and intervene in near real-time.
But there are multiple ways of implementing real-time collaboration, and different SaaS applications use different models that vary on everything from the algorithm to the application layer to the communications layer.
Google Drive’s real-time collaboration function, for example, is based on operational transformation (OT). Slack’s real-time API, which powers collaboration on Slack Canvas, utilizes WebSockets as the communication layer. Canva, on the other hand, uses RSocket as the application layer of its real-time collaboration abilities.
If your SaaS security solution isn’t intimately familiar with the data model of your SaaS application, it will do a very clumsy job of protecting your data.
Changing Context and Why It Must Be Included in a SaaS Security Solution
Deep understanding of SaaS data models is the foundation of effective SaaS data security. But it’s only the foundation. To catch anomalies without disrupting legitimate SaaS data flow, you need an up-to-date picture of the context in which the SaaS data is moving. This picture must include user, business and security aspects.
Going back to our Amazon warehouse, even if you know exactly how all the people, devices and processes are supposed to work, you’ll get tripped up if something changes. And life is fluid, so something always changes:
- An employee gets sick and another employee takes over his daily tasks temporarily
- An employee is promoted or changes departments and her responsibilities change
- IoT machinery is discovered to have a security vulnerability, but there’s no patch yet
- An external consultancy is hired and they’ll be sending consultants to observe workflows in the warehouse
In SaaS, the data itself and how it usually moves is an important context to have. So is user behavior context: what is expected behavior for any given user. But relying on those contexts alone will hamper the effectiveness of your SaaS security.
Even if a user might normally download or share assets as part of their job role, if they are slated to leave the company in two weeks, effective security would dictate looking much more carefully at any attempt to transfer data out of the organization.
If your organization has just entered into an audit or the due diligence process before a potential acquisition, you definitely don’t want to prevent or delay the sharing of relevant financial documents with the involved parties.
This extra business and security context is critical for SaaS security, and yet most data security solutions don’t take them into account.
When we built DoControl, we made sure to make it multi-context, incorporating mission-critical business and security contexts. This required sophisticated SaaS data enrichments well beyond the purview of standard SaaS event reporting, including integrations with HRIS, IDP, DLP and EDR.
Adapting to SaaS Security is an Imperative
SaaS adoption and use are growing - fast. DoControl’s survey and analysis of the SaaS environment of companies with over 1,000 employees found that, on average, companies started with 7.9M SaaS assets at the beginning of 2023 and ended the year with 22.8M. That’s growth of 189%!
If you use SaaS to power your business operations, your attack surface is getting exponentially larger. It must be protected: in a way that makes sense for SaaS.
A SaaS security solution can’t stand in the way of data flow, so it must be able to:
- understand SaaS applications: their data models, APIs and infrastructure
- quickly learn the unique processes and norms of your organization
- monitor from the side and recognize anomalies immediately
- take multiple types of context into account to make accurate calls
- move in to mitigate before damage is done
The pace of SaaS is picking up. It’s time to make sure that your SaaS security ups its game - and truly protects your data.