Persuading employees to abide by software-as-a-service (SaaS) and other cybersecurity policies remains a key defense against SaaS incidents and breaches. Indeed, Gartner recognizes that the root causes in 99% of cloud breaches are preventable misconfigurations or other mistakes by end users.
With the average breach now exceeding $4.4 million, every CISO recognizes the value — and urgency — of boosting compliance with SaaS security protocols. Yet security leaders can undermine their goal of increasing companywide adherence to SaaS security policies when they adopt excessive requirements for employees to follow, particularly in procurement stages.
Where Procurement, SaaS Security, and Company Culture Overlap
The idea is simple: To mitigate the risk of onboarding unsecure SaaS platforms, start by intervening before a purchase or trial begins. This is not a concern when handled correctly.
SaaS audits and checklists such as vendor questionnaires, SOC2 audits, and penetration test reviews are longstanding, reasonable components of the procurement process. Security and IT teams partner with finance to enforce extensive due diligence and procurement controls upfront. These vetting activities generally fall under the domain of third-party risk management. This partnership is meant to get ahead of potential SaaS cybersecurity risks, which typically rise during vendor onboarding and operationalization.
Implementing approval stage gates (or blockers) could be mistaken as a gatekeeping mechanism that hampers innovation and process improvement. Yet what is necessary is a cultural shift based on employee behaviors, usage metrics, and a clear, well-communicated SaaS procurement strategy.
More importantly, business and security leaders may not recognize that the greatest risks to the business often occur after implementing a new SaaS application. A lack of configuration and attack surface assessment once a SaaS application goes live creates a blind spot for organizations. This can introduce a heightened risk profile that few organizations include in their monitoring criteria. Companies, in conjunction with line-of-business owners, should look to define risk guardrails that go beyond the initial procurement phase and implement continuous monitoring processes for SaaS applications.
Where the Greatest SaaS Risk Hides
Organizations regularly assess SaaS vendors prior to or during an application or technology's procurement phase. But SaaS risk doesn't end at onboarding or launch. Once you flip the switch on an application, most organizations have zero visibility into its configurations and ongoing operations.
SaaS environments go through a continuous lifecycle of change that can create critical security gaps and inadvertent configuration drift over time. Furthermore, vendors continuously push updates that can affect security settings. These settings do not conform to any universal standard — meaning the CISO's organization needs to learn each SaaS application's unique security settings, interpret them, and create policies to protect the business and its data assets. Considering the average organization uses between 50 and 100 sanctioned SaaS applications, developing this level of expertise in-house is challenging and highly unlikely.
Beyond security configurations, SaaS's decentralized and extensible nature makes it an undeniable boon for business at the cost of frequent permission drift. Overprovisioning dramatically increases the likelihood of leaks or compromising sensitive data. If an employee with an over-permissioned account connects an unsanctioned SaaS app to an enterprise system — such as a project management app to the company's office productivity suite — they're unknowingly providing threat actors with another entry point to the sensitive data. Our AppOmni team once witnessed a CISO's multimillion-dollar identity provider investment essentially negated by SaaS applications with multifactor authentication (MFA) set to "optional" by mistake.
Clearly, the risk introduced downstream in terms of configuration drift and data exposure exceeds what's possible at the procurement stage. CISOs and their teams need employees to remain vigilant to keep the entire SaaS estate as secure as possible. This is accomplished through establishing relationships and guardrails and developing a dedicated SaaS security program, not obstruction and excessive gatekeeping exclusively during procurement.
How to Curb the Risks
Instead of policies that threaten budgets, opt for guardrails that illustrate what activities are in bounds and which require a discussion. Proactively talk to business leaders before they seek security's help or guidance. Find out what they're trying to accomplish and why the goal matters to the business. And explain the risks of breaches and leaks in dollars and productivity lost, along with potential liabilities.
Ensure everyone in the security team understands that the mission involves helping the business achieve its goals as securely and quickly as possible. Security should be the first to propose alternative solutions if the desired SaaS app poses risks that cannot reasonably be mitigated.
Finance and procurement are crucial allies, but they are not in the business of securing SaaS on a day-to-day basis. Clear guardrails and positive relationships are the smarter bet for long-term SaaS security adherence.
About the Author
Harold Byun is Chief Product Officer at AppOmni. He has more than 25 years of experience in the security industry as both a practitioner and product leader. Prior to joining AppOmni, he held product leadership roles at ServiceNow, Skyhigh Networks, MobileIron, and Symantec. His career includes work in a number of security domains across security orchestration and automated response (SOAR), cloud access security broker (CASB), governance risk and compliance (GRC), data loss prevention (DLP), encryption, and data access monitoring. Harold also holds several data security-related patents.