Many security practitioners take their eye off cloud and software-as-a-service (SaaS) security based on the faulty assumption that the providers are inherently secure. While most providers are, the cloud is so flexible and customizable that every organization might open different doors – ones that they're responsible for closing. Ones that traditional security tools often overlook.
Some 89% of organizations have a multicloud strategy, with 48% using multiple public and private clouds. By the end of 2021, it was estimated that 99% of organizations would be using one or more SaaS solutions. With so many resources now in the cloud, it's a complex responsibility to secure each one.
Security risks continue to plague organizations. According to Varonis' "2021 SaaS Risk Report," 44% of cloud user privileges are misconfigured and 43% of all cloud identities are unused and exposed to threats. By rightsizing your cloud footprint, adopting new security controls, and emphasizing SaaS security management, you can be confident enough in your security to achieve cloud nirvana – security that's so automated, intuitive, and frictionless that you never have to think about it. There are three phases to getting there.
Understand Your Cloud Footprint
You must take a strategic view of cloud security. The first step is to undertake an inventory to find what SaaS services are in use. Which business areas are dependent on what SaaS services? Which SaaS services are common across the enterprise?
Then create an inventory focused on where your most sensitive data is. What information is leaving your applications or being exchanged with other applications? The next question is: Which users, resources, and applications have access to your data? Only once you understand your cloud footprint, data in the cloud, and resources accessing it, can you work to secure it.
Make no mistake: cloud and SaaS sprawl are difficult to audit. According to Productiv's recent report, the average SaaS portfolio size is 254 applications but only 45% of those apps are used on a regular basis. Taking that deep dive and reflecting on the business purposes of those apps may identify some ways to reduce your organization's overall risk (and your SaaS spend). Auditing your cloud footprint is important so that you have a clear picture of your risk, and so you can ensure you're meeting compliance, regulatory, and customer obligations.
Before you can start chipping away at the inhibitors of SaaS security, you need to make sure you're covering all your bases. Does your security scope include management of third-party applications and data? What about any necessary compliance or regulatory policies for checking misconfigurations and anomalies? While most companies stop there, it's important to have deep security coverage for your most business-critical SaaS applications, including threat detection and continuous monitoring.
Protect Your Cloud Footprint
Once you understand your cloud footprint, and where most sensitive data is, you need to assess whether your data is protected. Are appropriate security controls in place to ensure all applicable layers of encryption and masking? Are only appropriate people able to access sensitive data? Are configurations being scanned on a regular basis to detect misconfigurations and, more importantly, are those misconfigurations being remediated in a timely manner?
You need to define security controls to protect the data and configurations. Once you've defined security controls, you need to replicate the process for the multitude of SaaS vendors you're working with across your ecosystem.
In addition to, say, Microsoft 365, you probably also have some combination of Workday, Salesforce, ServiceNow, Atlassian, and potentially dozens of other applications that keep your business running. Interestingly, the Productiv report shows an inverse relationship between the size of an organization and its application engagement. Smaller organizations, according to the report, engage with 49% of apps while enterprises only use 39%.
The fragmentation of the SaaS market means that not only do you have multiple vendors to consider, but they all operate based on different standards and with different levels of security. Unfortunately, there's no common framework for SaaS security.
The Center for Internet Security (CIS) has developed critical controls for the cloud, but they haven't yet become so widely adopted that they provide consistency across the entire industry. For now, you need visibility into the security of each SaaS application.
Cloud Nirvana: Eliminate the Need to Think About Security
Getting closer to cloud nirvana means finding efficiency as the cloud continues to scale. SaaS leads the way in the expansion of cloud adoption, with end-user spending expected to hit more than $176 billion this year, according to Gartner, and increase nearly 18% next year.
Adhering to the industry standard framework like CIS controls will make for a clearer picture of your SaaS security, but there's even more you can do. By adopting a DevSecOps structure, you involve security teams at the beginning of the development lifecycle so there are no surprises or delays down the road.
Reaching true cloud nirvana, though, typically comes through SaaS security management that can monitor, detect, and protect against threats. This includes automating security for instant visibility, 24/7 monitoring, and alerts for common SaaS security risks like misconfigured data access, overly broad permissions for user accounts, and exposed data.