Numerous organizations have experienced major data breaches in recent years because of security configuration errors in their cloud applications.
A research report by Divvy Cloud earlier this year estimated as many as 33.4 billion records were exposed in breaches resulting from misconfigured cloud apps and services in 2018 and 2019 alone. Each year, the number of records exposed via such breaches has increased despite heightened awareness of the issue. Gartner estimates that through 2025, 99% of all breaches in the cloud will result from customer mistakes.
The trend has spawned the emergence of a relatively new category of security tools known as Cloud Security Posture Management (CSPM) or SaaS Security Posture Management (SSPM).
The newest entrant to that market category is Adaptive Shield, an Israel-based startup that this week emerged from stealth mode with $4 million in venture funding. Like the rapidly growing number of other vendors in the general space, Adaptive Shield's platform is designed to help organizations proactively find and address misconfigurations in their SaaS environment that could lead to exposing data.
The company claims that its technology can be deployed in minutes and can be used to automate discovery of configuration errors; to continuously monitor for them; and to provide alerts when potential new issues are discovered.
Maor Bin, co-founder and CEO of Adaptive Shield, says businesses today run nearly every facet of their operations on a wide array of interconnected cloud services. "The problem is that even though SaaS providers have been improving their native security capabilities and controls, each has its own security model and settings," Bin notes. "This makes maintaining a consistent policy across platforms, business units, and user groups an uphill battle."
Common Configuration Errors
According to Bin, the most common security problems resulting from poorly configured SaaS environments include: a failure by SaaS administrators to require multi-factor authentication for system owners and super users; the use of shared mailboxes for financial, customer, and other sensitive information; and overly permissive access for external users.
Other common security lapses include a failure to turn on auditing or logging functions for monitoring user and system activity, and leaving sensitive dashboards, forms, discussions, and other data publicly exposed and accessible over the Internet.
In many cases, SaaS platforms offer a wide range of built-in security configurations to minimize risk to enterprise data. But security teams can get overwhelmed trying to manage the settings across all of their apps, he notes.
Bin says aside from identifying and discovering configuration errors, the platform also can help speed up the remediation process. "Every issue that is presented in the platform comes with a remediation plan — step-by-step instructions on how to fix the issue," he says. Adaptive also offers automation in terms of transmitting configuration error details to the change board, and a remediation bot that performs automated fixes for simple configuration errors. The platform can be integrated with a SIEM to report configuration drifts, users who are violating policy, and other potential security issues.
Other vendors who offer similar SaaS security posture management and continuous compliance capabilities include AppOmni and Obsidian Security, for example, Bin says.
AppOmni has so far raised $13 million in funding from a multiple venture capital firms. The company has described its platform as a "Rosetta Stone" for translating and enforcing an organization's current security policies and configurations in the cloud. Obsidian, founded by former executives at Carbon Black, Cylance, AWS, and other companies, so far has raised close to $30 million in funding from an array of venture partners including Greylock and GV, a venture firm belonging to Google parent Alphabet.
Several other vendors, including Orca Security, Zscaler, Bitglass, Fugue - which has raised some $70 million in VC funding - and others, offer capabilities for cloud security posture-management.