What's not to like about the cloud? Easier, cheaper, more cost-effective than on-premises systems, the cloud has been a boon for the enterprise. Software-as-a-service (SaaS) is a big reason for these benefits: By using online services, companies save themselves some of the time, effort, and resources needed to manage, administer, update, and protect applications. However, SaaS can harbor many security vulnerabilities — and not all of them are obvious.
Services of all kinds have proven vulnerable. In fact, cloud-based services are now the most common delivery method for malware, with nearly 70% of hacks and exploits downloaded from those services. And that's just within the "official" universe of services an organization uses. One study found that 97% of cloud apps were being used without the authorization or even knowledge of security teams.
Here are some things organizations should think about when evaluating the security of new — and existing — SaaS applications.
In general, companies should consider the level of visibility they have into the online services they are using. In fact, many companies are using so many different services that it can be difficult for security teams to keep track of them. This can lead to a number of unintended consequences. For example, by some estimates, companies are
losing billions each year in unused SaaS license fees and duplicate services in different accounts.
The security of online services themselves is another concern. Security teams should consider whether services use sufficient encryption for login information. They should also check whether a service has been hacked in the past, and if so, what the provider did in response.
Even if all that checks out, a service is only as secure as the way people use it. It's important to ensure that employees are not using the same credentials for services and network logins, and that they aren't sharing accounts or credentials. It's also critical to make sure that accounts are closed when employees leave the organization.
Another aspect of SaaS security to consider is how various services interact with each other. SaaS connectivity — including features like apps and services sending notifications to each other — is a potential vulnerability for data privacy. Do organizations understand how employees are using multiple apps and add-ons, as well as what permissions are required for integration and notifications?
The use of SaaS also affects overall network security. For example, services often will install code or cookies on user devices. Does that code contain something that could interfere with the optimal operation of the IT system? Does the service share data about user activities with third parties, and are those parties secure? Can a service potentially damage an organization's resources — even inadvertently — with its activities?
Questions abound when it comes to SaaS in the enterprise, and the answers are difficult to come by. But companies increasingly need to seek these answers, or at least be aware of the questions. That will help them set proper policies, such as implementing more effective whitelists, and not only shutting down the accounts of people who have left the organization but also revoking rights to documents and other permissions. It will also help them invest in the security solutions that most closely match their needs.
SaaS and cloud-based services can save companies significant amounts of money each year. They also enable increased agility, improved efficiencies, better utilization of data, and better customer service, among other benefits. However, all of this can come at a security cost. By increasing visibility into what SaaS does within the organization, security teams can ensure they get the full benefits of these services — while avoiding many of the dangers.