In today’s fast-paced business world, software-as-a-service (SaaS) applications have transformed how we work. They offer unprecedented flexibility, collaboration, and efficiency, making them the go-to solution for most organizations. From project management to customer relationship management and file storage, SaaS applications touch nearly every aspect of daily business operations. With sensitive data and critical business processes housed in these platforms, the need for robust SaaS security has never been more pressing and clear.
SaaS security is multifaceted, covering many types of risks with tools offered by diverse vendors. SaaS security typically falls within SaaS security posture management (SSPM). While modern SSPM solutions provide automation and in-product remediation, they might be somewhat overwhelming at first, especially for smaller organizations that don’t have large budgets or don’t know where to start or what to prioritize.
During a career spanning two decades in the Israeli military serving various cyber-related roles, I learned the importance of breaking down large challenges into smaller pieces. Tackling a large problem starts with identifying the basic requirements. In this article, I will lay out three must-have SaaS security essentials that any organization can implement, regardless of budget or headcount. These are three steps you can introduce into your organization today.
Step 1: Discover Your SaaS Usage
After serving hundreds of SaaS-using companies, it is clear to me that most organizations have a serious SaaS shadow-IT problem. In fact, the average employee uses 28 SaaS applications at any given time. When you think about it, it makes sense: Most employees, when encountering a specific business need, will look up a fast and easy solution online. That solution is often a SaaS tool that requires permissions into the employee’s work environment. Onboarding these SaaS applications often goes completely unnoticed by security and IT teams. So, before you can secure your SaaS environment, you must first have full visibility into every employee’s SaaS usage, all the time.
Step 2: Perform Risk Assessments on Each SaaS Application
Now that you have a clear picture of your SaaS landscape, it’s time to evaluate the security risks associated with each application. Not all SaaS applications are created equal, and some may pose a higher risk to your organization’s data and operations. We should always be cautious as to where we keep or share sensitive data and who we trust with our most critical assets. There are several critical considerations for determining whether an application is risky or not. Here are a few:
- The SaaS vendor’s security and privacy compliances.
- The SaaS vendor’s size and location.
- The SaaS app’s marketplace presence: Has it been validated by others?
- Is it a private or public company? Does it share its security status publicly?
This type of analysis is crucial not only for maintaining SaaS security; it is a significant factor in companies’ vendor risk-assessment processes. SaaS is a third-party vendor, and assessment is part of how you manage a vendor’s risk. Organizations cannot afford to turn a blind eye to their third-party risks of any size.
Step 3: Ensure Users Have Only Necessary Permissions and Roles
The third essential step is managing user permissions. Often, security breaches occur due to excessive permissions granted to users or that the users grant to certain applications. To mitigate this risk, follow these best practices:
- Least-privilege principle: This means granting users only the permissions they absolutely need to perform their tasks. Avoid granting broad, blanket permissions that can lead to data exposure or unauthorized actions.
- Regular permission reviews: Establish a process for regularly reviewing and updating user permissions and roles. This is especially true for your core business applications. Employees’ roles and responsibilities can change over time, and permissions should be adjusted accordingly.
- Start with the admins: Assessing all your employees and their roles and permissions across dozens of apps can be daunting and time consuming. I’ve learned that focusing on various admin roles and auto-approving low-permissions roles is a huge time saver.
Why These Three?
There are many ways to implement SaaS security practices. Some organizations prefer looking at sensitive files shared between these applications; others start with irregular user behaviors to tackle insider risks. These are all valid, and robust SSPM tools offer these capabilities. But for smaller organizations with tighter budgets or those that prefer to start small then expand, I firmly believe these three principles are the way to go. These are required by major compliance standards such as ISO 27001 and SOC 2 and fall under basic vendor risk-assessment and user-management requirements.
Embrace SaaS Without Compromising Security
By enforcing these three steps, you can make significant strides in protecting your digital workspace. Remember that security is an ongoing process, and continuous monitoring and adaptation are key to staying ahead of evolving threats in the SaaS landscape. By prioritizing security, you can ensure employees are free to fully embrace the advantages of SaaS while always keeping your organization safe from SaaS potential harm.
About the Author
A retired colonel from the elite 8200 Unit, Galit Lubetzky Sharon has vast, hands-on experience designing, developing, and deploying some of the Israeli Defense Forces’ most vital defensive and offensive cyber platforms as well as leading large and strategic operations. She was an integral part of developing the IDF’s first cyber capabilities and continued improving and enhancing these capabilities throughout her career. She is the recipient of numerous accolades, including the prestigious Israeli Defense Award.
