The SaaS revolution is here.
According to Gartner, SaaS and cloud-based business application services revenue will grow from $13.5 billion in 2011 to $32.8 billion in 2016. PwC’s latest Global 100 Software Leaders Report data shows that the top software companies in the industry have continued a consistent and growing shift towards Software-as-a-Service (SaaS), growing their revenues by 60% to US$20 billion.
As SaaS adoption grows, so do the security concerns. But there is so much confusion around SaaS security that many enterprises are focusing on the wrong problems. Here are the three biggest myths when it comes to SaaS security:
Myth #1 – Shadow IT is the biggest SaaS problem.
Much of the concern around SaaS security has been on the proliferation of unsanctioned IT apps, the so-called Shadow IT applications being deployed by rogue users.
If you believe that these rogue departmental users, who have circumvented formal IT provisioning processes and sidestepped IT security controls in the process, are just trying to find more effective ways to do their jobs and gain competitive advantages (another benefit of SaaS), then the goal should be to empower them. IT can either conduct a proper analysis of the shadow IT application to determine if it is appropriate for the organization, or provide an approved alternative. Christopher Mim’s article in the Wall Street Journal “Let Staff Go Rogue on Tech” talks about this:
Once a shadow IT service is sufficiently popular, whoever is in charge usually conducts a formal analysis of the provider’s security measures and compliance with appropriate regulations. As long as everything checks out, what started as an employee end-run around their own IT staff becomes institutionalized.
In other words, shadow IT is manageable and most of your efforts will focus on monitoring your users once a quarter. It is not the doom and gloom SaaS security problem that everyone is pitching it to be. It is an opportunity to learn about IT applications that everyone can benefit from, so don’t fight it.
SaaS security is not about discovering and fighting Shadow IT. It is instead about securing your approved SaaS applications (remember that this list will include Shadow IT applications that have been institutionalized) that contain the bulk of company data that must be protected. It is about ensuring that data and all the variety of functions you can utilize in SaaS is compliant to any standards in your industry, and protected from threats, misuse or abuse.
Myth #2 – Security that works in my enterprise works for SaaS
If you agree on the SaaS security problem, then it’s time to debunk the next myth… that the security solution that you’re using actually addresses your needs.
Organizations want to extend the same security and risk/compliance controls they have in the enterprise to SaaS, but in fact, traditional security solutions are ineffective because of the following reasons:
• Lack of visibility – As part of the shared responsibility model, security for the SaaS application is dependent on the cloud provider. The cloud provider is responsible for securing its services, while enterprises are accountable for usage and all activities. Yet, an enterprise, and its existing security solutions may have very little visibility and control of the SaaS application and infrastructure to achieve the latter.
• Mobility and BYOD – A key benefit of SaaS, the ability to easily access an application from anywhere anytime and on any device, brings security challenges. Traditional security solutions will fail, unless you adopt an extreme access policy model where you only allow user access to SaaS via VPN, and via managed IT devices, or route it via the enterprise IP address range–which kind of defeats the value of the cloud.
• SaaS application diversity – Every SaaS application is created to uniquely solve a customer problem. Therefore, there are various user functions, file sharing and collaboration options that may differ from application to application, but may be subject to risk and compliance mandates. Firewalls and IPS can be extremely ineffective when it comes to understanding all of these unique knobs.
Myth #3 – The Biggest Risks To SaaS Are Stolen Credentials
SaaS services conceivably may be more secure than internally managed enterprise applications (depending on the security focus by the cloud provider), but their adoption introduces new attack vectors. They can range from sensitive corporate data being accessed by cybercriminals, sensitive corporate data being exposed or misused by authorized users, stolen credentials, and external attacks to SaaS applications.
Are these concerns real?
We know attacks are already happening today. We have seen Zeus variants configured to detect and extract data from Salesforce.com sessions (rather than online banking sessions).
Misuse and abuse of SaaS applications are related to the user, which in many cases is the weakest link, a fact that is well documented. Intentionally or maliciously, users are introducing risks to the business that IT is not aware of. When was the last time IT tracked and validated that users had not enabled public access for a financial spreadsheet in a SaaS application? When was the last time you received an alert that a user had authenticated to a SaaS application from multiple locations? Can IT validate that the download of customer information by a sales person meets his or her normal application usage pattern and is not data exfiltration?
Take Control of SaaS
In summary, it’s time to take control of your SaaS applications. Stop fighting shadow IT and stop thinking your existing security solutions work for SaaS. In my next article, I’ll dive deeper into the security requirements for SaaS.
Tweet me @DanelleAu @SecurityWeek on what other SaaS security myths I missed!
