The evolution of Software as a Service (SaaS)
SaaS applications have undergone an evolution in the past 10 years. What used to be simple web applications have evolved into complex platforms that are far more powerful and customizable than even five years ago. Many of the largest SaaS platforms like Salesforce, Microsoft 365, Workday, HubSpot, and Zendesk support both internal and external users and host extensive ecosystems with thousands of third party applications that offer even more functionality.
Within most large businesses, hundreds of unique SaaS applications now run critical day-to-day operations and house sensitive business data in the cloud. In fact, Gartner estimates that 95 percent of new enterprise application purchases are cloud-based.
But although SaaS has become a large and essential part of the IT stack, SaaS security continues to lag far behind security for other types of technology. Why? The answer stems from the way SaaS was originally adopted by organisations.
In the early days of SaaS, newly established vendors targeted specific business units like sales, marketing, and HR. These teams were often more willing to embrace new — and sometimes risky — software than the IT and security teams that managed the rest of the enterprise tech stack. The cloud-based nature of SaaS and the relatively low cost to implement meant that business units could completely (and easily) bypass security and IT teams.
Our requirements for SaaS have changed
The typical SaaS footprint has grown from a few licenses in a sales or marketing org to every employee now using solutions like Zoom, Slack, and Microsoft 365. And organisations in even the most regulated industries like banking, healthcare, and government now trust SaaS to house their most sensitive data.
But when it comes to security, much of the legacy of SaaS’s early days persists:
- SaaS app evaluation and purchase decisions are often still made by business units, not IT teams.
- Many security teams (already over-capacity and understaffed) have never found the time to add SaaS to their scope. They may not even be aware of all the SaaS apps in use at their organisation.
- Technology leaders often lean on the myth that SaaS vendors are 100% responsible for securing their data. Instead, they must understand that the shared responsibility model, which is common throughout technology, applies to their SaaS environments as well.
- In most organisations, no one is ultimately responsible for SaaS security.
While SaaS isn’t inherently more risky than other technologies, the rapid adoption of SaaS technologies combined with a lag in security investment has resulted in a backlog of vulnerabilities. Organisations of all sizes should prioritise SaaS security as they would for any other type of technology that houses sensitive data.
How to start prioritising SaaS security, if you haven’t already
- Assign ownership
Dedicate SaaS security to both a team and to specific individuals within the organisation. Make sure that the person and team charged with SaaS security are following the shared responsibility model.
- Understand who has access to what data
This doesn’t just mean employees within your organisation, but also partners, customers, contractors, and connected third party apps.
- Focus on the sensitive data
Assess the technologies that house the most sensitive data, and have the largest number of regular users to start. Also pay close attention to the applications that have many external users and connected apps, as these permissions are frequently misconfigured.
- Embrace automated tools
There is no standard across SaaS apps when it comes to security architecture. Each application has dozens, if not hundreds, of security configurations that are at risk of changing with every new vendor release. It’s impractical to expect security teams to adequately manage the constant changing permissions and configurations across their SaaS environment with only manual processes.
Organisations are already enjoying the benefits of SaaS, including fast implementation, low up-front costs, and scalable functionality for distributed teams. But with the power, customization, and flexibility that SaaS provides comes the responsibility for organisations to securely manage configurations, usage, and data access within their SaaS environments.
SaaS Security Management software from AppOmni makes it easy for security and IT teams to protect and monitor their entire SaaS environment, from each vendor to every end-user. AppOmni’s patented technology scans APIs, security controls, and configuration settings to compare the current state of enterprise SaaS deployments against best practices and business intent. AppOmni was founded by top security practitioners and is trusted by many of the world’s largest enterprises across technology, healthcare, banking, and security.
Interested in seeing how Secrutiny and AppOmni can help protect your business? Click here to request a demo and we’ll be in touch soon.