The Top 3 SaaS Security Challenges
Software-as-a-Service (SaaS) applications present a number of potentially serious security challenges. The risks posed by SaaS arise out of a combination of factors. For one thing, SaaS is popular, with most businesses using dozens or even hundreds of SaaS apps in their operations. The depth and breadth of SaaS deployments make them hard to defend.
SaaS is software, but its security parameters are different from those of traditional, on-premises software. A SaaS app is cloud-based, with access rights that are sometimes unclear. Third-party integrations can create vulnerabilities, as well. And, governance of SaaS apps can be spotty or nonexistent—especially when “shadow IT” takes over and business units purchase SaaS for themselves without notifying the IT department or their partners in cybersecurity. The article explores these issues and discusses the top three SaaS security challenges: access management, misconfigurations, and regulatory compliance.
Access management is an essential element of any cyber security program. Indeed, managing who can access what is a fundamental control in all major cyber security frameworks. SaaS introduces some unusual challenges to access management, however. SaaS users can be anywhere, on almost any device. They can access the SaaS app, which may contain sensitive data, from outside the corporate network. These factors make it imperative that security teams and identity managers establish who is who, and what each user is authorized to do on the SaaS app.
User authentication, which is the verification of a user’s identity prior to granting access, can be challenging with SaaS. If a user tries to log in to a SaaS app, how can system owners be confident that it’s the real user, rather than an attacker impersonating the user? Multi Factor Authentication (MFA) is essential to reduce the risk of unauthorized access. Rigorous monitoring of identities is also a wise practice to stop malicious actors from gaining access to SaaS apps.
Third-party integrations create a related access risk. In some cases, plugins that connect one SaaS app to another make the plugin into an unmonitored “user” of the app. If an attacker takes over the plugin, which can occur easily when plugins are not maintained properly by developers, he or she can gain access to connected SaaS apps.
Once a user has accessed a SaaS app, what is he or she allowed to do? This is a matter of authorization. Most SaaS apps enable multiple levels of access privileges. The more senior the user, the greater the access privileges, generally speaking. An executive user might be able to see all customer data, while a sales rep can only see his or her accounts. Administrative users may have the right to delete or export data, which makes their accounts attractive takeover targets for hackers.
Geography is yet another aspect of SaaS access management. It is a good policy to restrict SaaS access rights by country or region. This will mitigate the risk of external threats to some degree, because hackers tend to be outside of the country hosting the SaaS app. There can be regulatory issues, too, with potential compliance risk arising out of users moving consumers’ private data out of its country of origin.
Each SaaS app enables extensive custom configuration. This is usually a great benefit. Individual users can set up their SaaS apps the way they want them. Administrators can adapt SaaS apps to suit company-wide use cases and policies. The scope of configuration options, however, also creates security risk.
Part of the problem is again, simply the scale of the SaaS estate in the average business. If a company has deployed a hundred SaaS apps (that it knows of), and each app has dozens of “knobs” users and admins can toggle for their specific configuration needs, the result is an environment with thousands of potential configurations. Any one of them could be insecure. Manual management is not a realistic option.
For example, some SaaS-based storage services enable universal file access by default. That means that virtually anyone in the world can access a company’s sensitive data on the Internet, without anyone even knowing. If users are not aware of this problematic default setting, data exfiltration risk will follow.
A further difficulty comes from the frequency with which SaaS apps update themselves. While it is a great advantage to have an application that automatically makes new features available to users, this is also a driver of risk. A SaaS update might reset configurations to default, for instance. It will then be up to users and admins to set configurations back to match security policies—a task that is effectively impossible to perform thoroughly without automation.
SaaS apps can expose companies to regulatory compliance risks, which have a peculiarly synergistic relationship with security risks. For example, poor management of role-based access controls (RBAC) can result in breakdowns of “segregation of duties” controls needed for compliance with laws like Sarbanes-Oxley. Specifically, a segregation of duties control is supposed to do things like prevent a single user from being able to approve a purchase order as well as a payment to a vendor. Without the control, a user could commit fraud.
If the company in question uses a SaaS-based accounting system, then it will be up to SaaS administrators to ensure that their access privileges they cover the segregation of duties control they need for Sarbanes-Oxley, e.g., User A is permitted to access the purchase order (PO) module of the software, but not the check approval module. User B is permitted to use the check module, but not the one for POs. This may not be a big problem, but given the breadth of SaaS configuration possibilities available, it’s an easy control to overlook.
SaaS can translate into security problems.Areas of risk exposure include access management, configuration, and regulatory compliance. Manual approaches to addressing these three areas of challenge are inevitably deficient. Intelligent, automated solutions are the best approach. With new SaaS security management tools, it is possible to stay on top of access, configuration, and compliance risks across even the broadest and most multi-faceted of SaaS environments.