There's a big misunderstanding when it comes to the security settings of software-as-a-service apps. SaaS apps come with a robust set of native security features — but making sure each is properly configured falls to the organization's security teams, creating a day-to-day burden that is impossible to handle if done manually.
The top pain points for SaaS security stem from:
- Lack of control over the growing SaaS app estate
- Lack of governance in the life cycle of SaaS apps: from purchase to deployment, operation, and maintenance
- Lack of visibility of all the configurations in SaaS app estate
- Skills gap in knowing every SaaS app's build, terminology, and technology
- Laborious and overwhelming workload to stay on top of hundreds to thousands (to tens of thousands) of settings and permissions.
Gartner created the SaaS security posture management (SSPM) category to refer to solutions that solve these pains by continuously assessing security risks and helping security teams to gain visibility and control over their SaaS applications' security posture. An SSPM solution automates the identification and remediation of SaaS misconfigurations regardless of how vast and complex a business's SaaS environment has become. Better still, this can be accomplished without siphoning the security team's efforts from other critical areas of the business.
For those beginning the search for the right SSPM solution, here's a list of functionalities that are essential (excerpted from the complete guide):
Breadth of integrations: Make sure the SSPM offering you're considering can integrate with all or most of the applications you're already using and those you plan to purchase down the road. As a rule of thumb, I recommend starting with systems that can accommodate at least 60 integrations right out of the box and can run checks on all data types so teams can identify and mitigate misconfigurations immediately.
Depth of coverage for security domains: After integration, the next question is this: How many security domain checks can it assess? Remember, your security team doesn't have time or familiarity with all the SaaS apps and cannot follow up on thousands to tens of thousands of configurations and user permissions on a day-to-day basis. Some of the most prevalent security domains that an SSPM should check are:
- Identity and access management: Get visibility into the most common attack vectors currently being exploited. These include multifactor authentication (MFA), single sign-on SSO, third-party user access, domain authentication, and legacy authentication protocols.
- Access control for external users: Ensure that the configurations are set correctly for external users to be verified and trusted. Beyond that, enforce limited access and permissions while still enabling everyone to do their job.
- Compliance policies, security frameworks, and benchmarks: Benchmark against industry standards and best practices. Also, make sure you can create your own custom standard.
- Data leakage protection: Ensure correct configuration to protect against data leakage from any user account.
- Auditing: It provides digital forensics, controls the level of specificity, and when it comes to regulated industries, it can properly configure logs for certain processes.
- Privacy control: Allow teams to check the configurations that control visibility between co-workers and service providers.
- Malware protection: Check if it can enforce configurations that protect against social-engineering attacks (e.g., spoofing, phishing, and spam) and prevent client-side attacks.
Continuous monitoring: It's vital that issues are alerted on the spot and they can be remediated quickly.
- Alerts: Make sure you can set alerts to immediately detect any configuration drifts or potential risks.
- Activity monitor: The ability to track activities of privileged users and those of interest across your SaaS estate and to simplify forensic and retrospective investigations for cross-platform (e.g., user creation) and platform-specific activities.
- Posture over time: Static snapshots aren't enough to view network changes. Look for a system that provides a timeline view of your SaaS environment, so you can detect changes and see how your system has evolved.
Quick and easy remediation: To combat threats, fast remediation of any misconfiguration is critical and there are a few outstanding capabilities to support this.
- Context: For security teams, context is vital. It can be helpful to find systems that can share the extent and severity of exposure as well as details on those who were impacted so the security team can prioritize the high-risk misconfigurations.
- Ticketing: Be able to open and send tickets to the relevant team (IT/security/app owner), detailing the vulnerability and describing the steps needed to remediate the issue within a seamless workflow.
- Auto-remediation: Have the option of auto-fixing and enforcing security policies from within the SSPM software.
We are moving into an era of prevention as opposed to detection and response. This is what SaaS security posture management is all about. It's a relatively new category; however, it's a foundational requirement needed to create a preventative state of protection for the SaaS stack. The right SSPM provides organizations continuous, automated surveillance of all SaaS apps, alongside a built-in knowledge base to ensure the highest SaaS security hygiene.
About the Author
A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield, the SaaS Security Posture Management solution built to help security teams gain control over their SaaS app security and prevent vulnerabilities that could lead to a leak or breach.