Exploring SaaS security best practices

SaaS adoption continues to grow at breakneck speeds. The average employee in organizations of 1,000 or more typically uses at least 10 applications; while across the company, over 200 applications will be consumed across all departments. In larger organizations, the figures are even higher. Organizations and their workers can choose from thousands of applications, with over 7,000 available for the Sales & Marketing departments alone. A new generation of IT workers will never have the joy of managing application updates across their user base. So sad! Their new joy will be tracking down and understanding the breadth of applications being used by their workforce.

The fact is that the SaaS model, among other things, has democratized the software marketplace, creating the opportunity for commercial success even for the smallest of entrepreneurs. This has unlocked a tremendous amount of creativity and the ability to address any number of needs of knowledge workers with highly specialized applications solving narrow problems. There are two effects that result: 1) a shift from application suites to best-of-breed applications and 2) the frequent uptake rate of new applications amplified by the “freemium” model. Freemium to the user, maybe, but not the IT organization which has typically invested in one or more applications, probably a suite, to enable the global organization.

As the number of applications in use increases, two major issues stand out that can have a negative effect on the organization, and must be addressed with SaaS security controls. A mantra of the modern software world is self-documenting applications that also have a significant investment in UX to make users reasonably self-sufficient. Unfortunately, each additional application is one more skill everyone has to be leveled up on. With an avalanche of applications being promoted by various members of a team, favorites begin to play out, encouraging islands of users migrating to their preferred applications. The CISO’s team will usually have no knowledge of these incremental applications, making IT and SaaS security audits more cumbersome -- if not downright impossible.

The security implications can be significant, particularly for applications that store sensitive data in the cloud, such as clear text files.  Data leakage can cause direct damage to the organization as well as to their reputation. With the number of applications out there, the good news is that IT doesn’t have to be the department of “no.” But they do need to be brought into the decision-making process for onboarding applications. IT, together with users, can collaborate to create a SaaS tech stack with the requisite SaaS security standards that meets everyone’s needs, including the CISO. Having controls is essential; knowing what to look for and what’s been agreed to makes the job a lot easier and helps to diminish the unpleasant task of cutting off valuable applications and creating dissatisfaction.

SaaS application security is a winner for everyone, from the content developer and engineering to the CISO, as organizations align around a common set of tools and channels. Productivity can bloom when employees aren’t distracted and confused by a disjointed collection of choices. CISOs can focus on managing risk on a manageable number of applications, greatly increasing security assurance and minimizing the overhead of security audits. And management can then begin to unlock the potential in the workforce that was promised by SaaS in the first place.

For more information, check out our cloud and network security page. Keep an eye out for more discussions on the implications on going direct to cloud.