The Software-as-a-Service landscape has evolved greatly in recent years with more and more organizations implementing SaaS offerings as part of digital transformation strategies.
SaaS has grown to become a common delivery model for many business applications, including office software, messaging software, payroll processing software, DBMS software, and management software, among others.
However, as is often the case when new and innovative approaches gain popularity, new security and data protection risks arise as a result. That has proven to be so with the rise of SaaS solutions that commonly hold and process mission-critical and sensitive information which must be secured to avoid potentially damaging breaches and security incidents.
AppOmni is a company that provides support to organizations in that regard, delivering Cloud Security Posture Management (CSPM) for SaaS to provide data access visibility, management and security of SaaS solutions to help companies secure their data when implementing SaaS applications.
To find out more about the company’s offerings and the wider security implications of SaaS, Infosecurity spoke to AppOmni’s CEO, Brendan O’Connor.
Firstly, why is ensuring the security of SaaS applications so important?
Today, the enterprise runs on SaaS. SaaS applications have become mission-critical for most organizations, and have become essential for enabling remote workers. We are a company comprised of security engineers from the leading cloud providers, so we have deep expertise in the security challenges customers face.
SaaS applications are important because that’s where the data is. Whether it’s customer payment information in Salesforce, project files in Teams or meeting transcripts in Zoom, SaaS applications house an enterprise’s most critical data. Exposure or loss of such data can be devastating. Aside from negative press, enterprises can suffer disruption to their business operations as well as regulatory fines.
What are the key security challenges and risks surrounding hybrid working environments and SaaS applications?
Risk of misconfiguration is by far the most prevalent problem. SaaS applications are incredibly powerful, and integrate with a variety of APIs and data sources. That creates complexity. There are so many different configuration settings, and the control panels for these applications are all different. On top of that, security teams need to assess and manage the configuration of these applications across multiple instances and environments. It is terribly time consuming to track and manage this manually, which is why mistakes are made so frequently.
The other key challenge is third party applications. Users are connecting third-party applications into their SaaS environments, and security has no visibility. In our experience, security teams are aware of less than half of the third-party apps that have API access to the company’s data.
“SaaS applications have become mission-critical for most organizations, and have become essential for enabling remote workers”
How has the recent move to mass remote working impacted these risks and challenges?
With the shift to remote work, many businesses made big technology changes very quickly. It is unimaginable that a technology shift that big, made that quickly, didn't create new avenues of exposure. We are seeing two factors contributing to increased risk.
The first is an increased attack surface. Classic defense strategy used the castle approach – hardened perimeters provide a measure of protection to everything inside the network. Well no one is inside the network perimeter anymore. The perimeter has been dissolving for some time, but mass remote working has put a nail in that coffin. Security teams now need to defend an attack surface that includes remote employees and all of the cloud applications that are making remote work possible.
The second is impact. The impact of a successful attack has also greatly increased. When attackers were trying to penetrate corporate networks, security had opportunities to catch them as they moved through the network. Monitoring solutions was critical because the sooner you could detect an attacker inside your network, the better your chances of stopping the threat before it could steal data and cause harm. Instead of trying to penetrate the corporate network to steal information, attackers are now taking it straight from unsecured cloud services. The attack is so quick that once you’ve become alerted to it the data is already gone.
How can organizations ensure security and cyber-resilience in their SaaS environments?
Security needs to make SaaS applications a first class citizen in their security program. They must scan cloud APIs looking for data exposures and excessive privileges. They need to assess and analyze the configurations of these applications against best practices, and ensure that the right security controls are in place – and stay that way. They need security baselines for their mission-critical applications, and they need to detect configuration drift when it occurs so they can remediate it, or prevent it from occurring in the first place.
What will the next year or two have in store with regards to hybrid working strategies and SaaS application?
Unfortunately, I think we will see more breaches. Humans respond to pain, and many companies still tend to be reactionary in their security programs. If they haven’t felt the pain yet, they may not prioritize SaaS security, but I am hopeful that is changing. More and more I talk to security leaders who are investing in preventative solutions and gaining visibility into their cloud attack surface. I also think that remote work is here to stay. Even in a post COVID-19 world, I believe companies will need to offer remote work options to stay competitive. Now is the time to implement a hybrid working strategy that includes mission critical SaaS applications. Companies that wait are going to find themselves behind the curve, and easy targets for opportunistic attackers.