The Software-as-a-service (SaaS) industry has gone from novelty to an integral part of today's business world in just a few years. While the benefits to most organizations are clear – more efficiency, greater productivity, and accessibility – the risks that the SaaS model poses are starting to become visible. It's not an overstatement to say that most companies today run on SaaS. This poses an increasing challenge to their security teams.
A new guide from XDR and SSPM provider Cynet, titled The Guide for Reducing SaaS Applications Risk for Lean IT Security Teams (download here), breaks down exactly why SaaS ecosystems are so risky, and how security teams can mitigate those dangers.
Today, the average midsize company uses 185 SaaS apps. What this means is that the number of app-to-person connections has risen exponentially. Most midsize companies have nearly 4,406 touch points, creating an attack surface that requires significant resources to simply monitor. The risk of a digital disaster is impossible to ignore – especially given the security paradigms that govern most SaaS applications.
Understanding SaaS Risk for Lean Security Teams
One of the core security issues with SaaS is that risk isn't simply "what could go wrong" anymore. Because SaaS applications have become so ingrained in organizations, a security breach with one could cause serious damage, and these occur frequently. They can be anything from service disruption to a large-scale data breach and create severe problems.
The question is, where does SaaS risk originate from? The answer is multiple places:
- The SaaS companies themselves. Not all SaaS providers have the same security controls and attacking a SaaS provider directly can give attackers access to all their customers. This can help explain the upsurge in supply chain attacks via trusted third parties.
- Provider data breaches. Because of SaaS apps' connections to organizations, they must process large volumes of data. At some point then, organizations must rely on their vendors' security controls, which are not always up to par.
- Access control misconfigurations. When SaaS apps are not set up properly – either by the IT team or the vendor themselves – it opens the door for cyberattacks or user-created problems.
- Adverse software updates. Complex SaaS systems are tenuous enough that a bad update can create a significant disruption, opening new vulnerabilities or invalidating critical functions.
- Service downtime. One issue tied to the cloud-based model is that problems with a vendor will usually result in service outages for subscribers. Whether the issue is financial collapse, data center problems, or rogue staff, mission-critical services running on SaaS are at risk of being delayed, disrupted, or disabled.
- Insider threats. With access to so much data, a rogue staffer inside a vendor could easily misuse their access privileges for criminal purposes.
How can lean It Security teams manage?
While this status quo creates significant challenges for lean IT security teams, it's not the end of the world. Organizations still rely on their providers for security, but they can take steps to minimize that risk. This includes:
- Vetting vendors more thoroughly and ensuring they meet your organization's requirements and regulatory needs.
- Exploring the external validation and certifications a vendor holds
- Using external tools such as SaaS management platforms (SMP) or SaaS Security Posture Management (SSPM) that help unify and centralize security policies.
You can learn more about how lean IT security teams can better manage their SaaS risk here.