Skip to main content

SaaS Security: A Complete Best Practices Guide


As companies adopt more SaaS solutions to solve business challenges, the explosion of software-as-a-service (SaaS) brings new benefits—but also new problems. SaaS sprawl makes visibility more difficult, giving rise to new threats like unsanctioned apps, data loss, and insider threats. With multiple applications to manage and secure, it’s challenging to wrangle everything under the IT/security umbrella and do the right things to protect your company’s data.

SaaS enables seamless collaboration between users, both within and outside the organization. While collaboration helps drive business productivity, it’s important to maintain granular control over access. Moreover, IT professionals pros have to do it in a way where neither productivity nor security is sacrificed.

In this post, we’ll dive into the biggest SaaS security challenges, plus best practices to help protect your organization.

SaaS sprawl and the unique challenges of SaaS security for IT departments

Following are the four biggest security challenges created by SaaS:

  1. File security
  2. Insider threats
  3. Difficulty achieving visibility (shadow IT)
  4. Least privileged access

Let’s explore each in further detail.

1. File security

Because SaaS is the system of record now, sensitive data lives everywhere in your SaaS environment. Confidential financial information, customer lists, intellectual property—it’s all there.

This makes file security especially important in SaaS.

Because SaaS apps give end users the freedom to collaborate with others, users can configure file sharing permissions on their own. When users collaborate with others, they have the power to share files publicly, with external users, or domain-wide.

SaaS security requires you to get a handle on these interactions and configurations. If a sensitive file is shared incorrectly, it could mean a compliance violation or even a potential data breach. Unfortunately, a lack of granular control of file security in many SaaS apps makes this particularly challenging. IT is unable to see all of the data stored across applications, including which files contain sensitive material, how files are shared, or who is sharing them. The lack of visibility creates blind spots that IT teams are not privy to, yet somehow responsible for securing.

Additionally, the behavior can vary from one app to another, making it very difficult to remediate violations. In most cases, it’s all too easy for well-intentioned users to make choices that increase risk and make your organization non-compliant. For example, to make collaboration easier, a user may choose to share a file publicly–not realizing that it may be indexed by Google and accessible by anyone on the internet.

One mistake—one simple, accidental misconfiguration—can easily expose data. For example, in March 2019, security researchers found that dozens of major tech companies and corporations had inadvertently exposed sensitive data through misconfigured Box accounts. Researchers discovered bank account and Social Security numbers, passwords, employee lists, and financial data like invoices, receipts, and customer data.

It’s important to gain visibility into the choices users are making in apps, such as sharing confidential documents with external consultants or making public cloud databases freely accessible on the internet. You need to be alerted to certain configurations that might increase risk, and, ideally, be able to automatically remediate them.

2. The insidious–and deceptive–risk of insider threats

SaaS is a double-edged sword. The very beauty of SaaS—the ability to collaborate, the ease of sharing data—is also its most dangerous security risk. Your users might have the best intentions, but the freedom SaaS apps provide also enables users to do dangerous things, possibly without ever knowing it. And that’s in addition to the risk of malicious users deliberately acting nefariously.

Many organizations are concerned about the risk of malicious insider threats, such as disgruntled employees committing sabotage or stealing intellectual property. However, the greatest risk lies with employees who are well-meaning, but negligent. And unfortunately, this group is sizable.

In BetterCloud’s “State of Insider Threats in the Digital Workplace 2019” survey, 91% of respondents felt vulnerable to insider threats. Even those who had deployed technologies to combat those threats still felt vulnerable, including 95% of those using a Cloud Access Security Broker (CASB).

3. Difficulty achieving visibility

Additionally, the ease of procuring SaaS apps makes shadow IT an ongoing challenge. BetterCloud’s 2020 State of SaaSOps report shows that after using automation to discover the number of SaaS apps running on the corporate network, on average, the total is 3 times higher than IT originally thought.

Unsanctioned apps create additional risk. Unaware of their existence, IT teams have no visibility into what apps are being used, their permissions, or their data read/write authorizations. Furthermore, they lack the ability to implement the proper controls to secure and manage those applications. It’s important to mitigate security concerns by efficiently eliminating unwanted and redundant third-party apps that users attempt to bring into your SaaS environment.

Without illumination from proper SaaSOps processes and solutions, your organization’s data travels to unimaginable places. Unknowable and unmeasurable apps imperil your organization’s security posture (not to mention your IT budget.)

Related: How BetterCloud Discover Helps IT Know the SaaS Environment

4. Challenge of enforcing least privilege access

A crucial cybersecurity tenet for many years, least privilege means giving people only the permissions they need to get their job done. Excess permissioning increases risk. Simply put, the more each user has access to, the more an attacker can access if that user’s credentials are compromised.
There are many different ways to configure the user roles on platforms such as Office 365 and Box, and the implications of those settings are not always clear. Apps have different terms for their admin roles and distribution lists, along with different permissions sets for each role.

SaaS security requires enforcing least privilege by only allowing users the precise amount of access needed to do their jobs, but nothing more. Unfortunately, least privilege is difficult due to the varying definitions of user role types, and the limited granularity offered, across SaaS apps. These inconsistencies often result in giving out access to more data and controls than necessary, leading to increased risk.

Erosion of the perimeter

Why do all of these SaaS security challenges exist?

Because the traditional perimeter is gone.

With the legacy IT model, you had a centralized way to manage user interactions, accounts, file sharing, etc. The legacy “castle and moat” approach assumed that everyone inside the perimeter was trusted. But as soon as you start to use your first SaaS app, you don’t have a perimeter anymore. Network-based security is no longer adequate, and you can’t think about your infrastructure as a safe place inside your company. Users are going to connect from any device and any location. This is another attribute of SaaS that boosts productivity and user experience, while also increasing security risk.

Evolving what was previously perimeter management now must encompass discovering cloud services and cloud assets, administering user access, and maintaining continuous visibility into it all.

Related: A Zero Trust security model can help protect your SaaS environment. To learn more, download our whitepaper: A Guide to Effective SaaS Management Using a Zero Trust Security Model

Now let’s take a look at some other types of SaaSOps tools and best practices for SaaS security.

Identity & Access Management (IAM)

With the proliferation of SaaS, PaaS and IaaS, managing access policies for each asset creates an IT management burden. Identity and Access Management (IAM) is the process of managing who can do what on which resources. The role of identity and access is to facilitate access and authentication to all IT infrastructure, including SaaS apps and on-prem apps. Often consumed as a service, identity-as-a-service (IDaaS) is cloud-based authentication that facilitates access and authentication to all SaaS apps in use and minimizes friction for the end user. IDaaS will typically integrate with an LDAP or directory service such as Active Directory and often receives employee information from the HRIS system as well. IAM products such as Azure Active Directory can enable:

  • Single sign-on (SSO)
  • Conditional access
  • Multi-factor authentication (MFA)
  • A single identity platform
  • Integration of identity into your apps and services

IAM that maximizes security while minimizing friction for the end user is a challenge. Look at federated domain services to allow synchronization of user permissions and policies between on-premise and cloud services and applications.

What is a CASB?

Another common tool to address SaaS security is a CASB. According to the Gartner definition, CASBs are on-prem or cloud-based security policy enforcement points. They stand between cloud service consumers and cloud service providers to combine and add enterprise security policies as cloud-based resources are accessed.

It’s a fairly broad category of technologies enforcing policies regarding any type of cloud service including PaaS, IaaS, and of course, SaaS. Within a SaaS environment, CASBs focus primarily on SaaS data security, asset encryption, inline blocking of sharing assets, and network security.

What role does a CASB play in SaaS security?

While there is some overlap, a SaaS management platform (SMP) focuses on SaaS, whereas a CASB has a broader charter, focusing on cloud services. CASBs overlap with SMPs in the areas of Data Loss Prevention (DLP – aka “File Security” in SaaSOps) and sensitive content identification functionality. However, CASBs lack operational context on users and data. Without this type of context, CASBs cannot differentiate between normal, approved user collaboration and a true security event, which often results in false positives.

CASBs and SMPs also enforce security policy in completely different ways. Most CASBs remediate threats in a blunt force fashion. They do not offer granular actions for remediation within SaaS applications. Security teams can set triggers (e.g., a file being shared externally), and then as a result quarantine or block the file, and send an alert to notify the file owner.

For example, they may automatically block a file with Social Security numbers from being shared altogether. But what if a user has a legitimate reason for sharing the file? Or what if the file only appears to contain a Social Security number? Now the end user trying to get work done is frustrated, and employee productivity is disrupted. An SMP, on the other hand, offers granular, less intrusive actions to remediate a threat, such as unsharing the file, changing the file owner, deleting the file sharing link, emailing the file owner, etc.

IT must enable the business, rather than inhibit it.

To learn more about how SMPs compare and contrast with CASBs, check out:

The need for flexible SaaS security solutions

SaaSOps vs CASB

Establish your company’s security culture and implement SaaS security and compliance programs accordingly. IT security requires flexibility in how they handle various threats. Flexible SaaS management solutions can empower IT to build customizable workflows so the response to security threats can be appropriate to your business. For example, you can choose to address security risks differently based on the operational context, such as the user’s department or seniority. By enabling you to choose how much to lock down security, these solutions remediate threats in a way that matches your organization’s risk tolerance.

Data loss prevention (DLP)

Data loss prevention (DLP) is a set of tools and processes used to dynamically apply policies to prevent sensitive data from being lost, misused, or accessed by unauthorized users. A robust DLP solution will be able to scan content for sensitive data like credit card numbers, in addition to relevant keywords such as “Confidential” or “Board deck.” It will also be able to take action and remediate any violations.

You need to build the DLP policy (or policies) that fits your needs. Two examples of DLP policies in a SaaS environment are:

  • If a sensitive file owned by finance is shared publicly, automatically revert it back to Private; disable download, print, and copy permissions on file; email the user to inform them; send the #security Slack channel a message
  • If an HR team folder containing Social Security numbers is shared across the domain, automatically unshare the file, revoke public sharing links, and change the owner of the file

Two factor authentication (2FA)

Passwords are simply not good enough. Two-factor authentication (2FA) is the use of an extra step to verify a user’s identity. 2FA offers better protection than passwords alone. If one factor, such as the password, is compromised, attackers are still unable to gain access without the secondary factor.

2FA can take different forms, most frequently summed up as:

Something you know: A personal identification number (PIN), a password, responses to questions, or a keystroke pattern.

Something you have: In most cases, the item a user possesses is a smartphone, and thus they can receive a code via text message. Hardware tokens can serve as another authentication factor.

Something you are: Biometrics such as fingerprint or iris scanning, or facial or voice recognition.

According to Verizon’s 2020 Data Breach Investigations Report, stolen credentials are the top hacking tactic–for the fourth year running. Password reuse is a major factor in credential stuffing attacks.

Data-centric approach with encryption

Cloud security controls need to accompany workloads and data while at rest and in transit. As part of the data-centric approach cloud security requires, make sure your data is always encrypted. Protect data at rest, in motion, and in use, and ensure access to the data is only on an as-needed basis. You can also manage your encryption keys in the cloud in order to have more complete control of your data.

Provide crucial SaaS end user training and support

Instilling a culture of security is a tough challenge for any IT admin, but building awareness around app security is a necessity. Train your users to act with caution in situations of uncertainty, use Google, or go to IT if something seems suspect. Regularly train employees on the importance of understanding app permissions and following your established data governance and security policies. Users should also understand password best practices and how to recognize a phishing email.

It can also be helpful to inform users of the risks and consequences of a data breach so they’re aware of what’s at stake.

Incident response

Your SaaS security practice should also include an incident response plan, involving defining the criteria for security incidents and thresholds, training employees on roles and responsibilities if a security incident occurs, and orchestrated and automated remediation across integrated systems (e.g., SIEM, EMM, ITSM). Any incident response program you put into place should be inclusive of SaaS apps, even if they’re not directly involved with the breach.

Best practices: SaaS security checklist

Maintain a secure infrastructure:

  • ❏ Establish your organization’s culture and risk tolerance
    ❏ Implement IAM/IDaaS to facilitate access and authentication to all SaaS apps and minimize friction for end users
    ❏ Ensure your data is always encrypted
    ❏ Implement 2FA
    ❏ Train users on SaaS security, including identifying phishing attacks and the importance of 2FA
    ❏ Create an incident response plan
    ❏ Implement SaaS management in conjunction with traditional security systems
    ❏ Build dynamic Data Loss Prevention (DLP) policies to prevent sensitive data from being lost, misused, or accessed by unauthorized users
    ❏ Build customizable workflows so responses are in accordance with your security policies and guidelines

Proactively secure data by monitoring for:

  • ❏ Exposure of sensitive information such as PII, PHI, passwords, and encryption keys (either publicly or externally shared)
    ❏ Corporate emails being automatically forwarded to a personal email account (e.g., Gmail, Yahoo)
    ❏ Users who should no longer have access to specific files, folders, calendars, etc. (e.g., consultants, interns, employees who’ve switched teams)
    ❏ Suspicious activity related to data theft, like unusually large file downloads within a short time period
    ❏ Sensitive files being shared with a competitor
    ❏ Email forwarding from specific users to email addresses outside your domain
    ❏ Specific file types being publicly or externally shared (e.g., spreadsheets and PDFs are more likely to contain sensitive information)
    ❏ Sensitive folder paths, like accounting or finance, being publicly or externally shared
    ❏ Choices users are making in apps, such as making public cloud databases

Gain visibility and control:

  • ❏ Enforce least privilege with granular access control
    ❏ Remain aware of all apps running on the corporate network, sanctioned or unsanctioned, and eliminate blind spots
    ❏ Identify tools that authenticate using your domain
    ❏ Audit permissions that employees grant to unauthorized SaaS
    ❏ Compare permissions to your established data governance that defines who within an organization has authority and control over data assets and how those data assets may be used
    ❏ Secure user interactions inside of SaaS apps
    ❏ Continuously monitor for policy violations and remediate them if any are detected

For more information on SaaS security, check out these resources:

To learn how BetterCloud can help discover, manage, and secure your SaaS environment, request a demo.

The post SaaS Security: A Complete Best Practices Guide appeared first on BetterCloud Monitor.