Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SaaS Application Risks and The Human Element

For far too long, the conversation around cloud and security has revolved around Shadow IT, the use of cloud applications that IT doesn’t know about. The reality, however, is that 90% of corporate data will reside in the SaaS applications that are approved for business use. That’s where the attention of IT organizations should focus on – how to extend visibility, governance and protection to these SaaS applications.

For far too long, the conversation around cloud and security has revolved around Shadow IT, the use of cloud applications that IT doesn’t know about. The reality, however, is that 90% of corporate data will reside in the SaaS applications that are approved for business use. That’s where the attention of IT organizations should focus on – how to extend visibility, governance and protection to these SaaS applications.

But, when it comes to SaaS applications versus on-premise, there are three characteristics that define the need for a different approach to data governance, risk management and security in the cloud:

Anywhere anytime any device access – First, users with an account and password can access SaaS applications from anywhere on any device at any time. This includes access via managed and unmanaged devices. This is very different from on-premise applications where access is only allowed via corporate VPN networks and managed devices, and additional barriers of security exist between the user and the data center hosting the application.

For the first time, how information is used and shared is defined by users, not IT – SaaS application folders and files are created by users. Users can invite collaborators and share these files with anyone using just one link. Many of these users have very little security background to understand when their actions bring risks to the organization

Unique data sharing capabilities – There are a myriad of ways that data is being shared and stored, unique to very SaaS application. For example, did you know that within Salesforce alone, you can have data in Chatter files, CRM content, Salesforce knowledge base articles, documents (web development materials), and attachments (files attached to a record)? It is unrealistic to expect security IT administrators to understand the nuances of every SaaS application, yet they are ultimately responsible for governance of the data in it.

What all this means is that SaaS application usage risks are inexplicably tied to the human element. Who users interact with, their privileges, the data they touch, how they access the data and their behaviors are the very attributes that impact an organization’s risk profile in the cloud.

Cloud Usage RisksHere are the five best practices to manage your risks with SaaS application usage, courtesy of real-world data from Adallom’s Cloud Usage Risk Report.

1. Address your zombies

Those of you who are close to me know that I’m a huge fan of AMC’s Walking Dead, a show about the zombie apocalypse. I’m stocking up on ammo and working on my samurai-wielding skills as we speak. But, it turns out these skills will be useful for my day job as well because zombies are real and thriving in the cloud. 11% of all enterprise SaaS accounts are “zombies,” inactive users for the last three months. They are at best eating up (no pun intended) the cost of a SaaS application license, and at worst increasing the attack surface of the organization. It’s a good best practice to address your zombie users.

Advertisement. Scroll to continue reading.

2. Plan for the departed

Don’t forget about the employees who have left the company. 80% of companies have at least one former employee whose SaaS application credentials have not been disabled. As part of the exit interview, organizations have a plan in place for disabling on-premise access (easily accomplished by turning off “VPN” access), but may not have formulated a plan for cloud. Not only must access to corporate SaaS applications be removed, but IT administrators must also account for files that are owned by the departing employee. A transition plan must be in place to transfer ownership of files to prevent “orphan” file issues where files have no clear attestation trails or violate data retention policies.

3. More admins, more problems

Privileged users bring greater risks because their access makes it easier for them to do damage, whether intentionally or if their credentials are stolen. In some SaaS applications, Adallom recorded an average of 7 administrators out of every 100 users. Sometimes, the reason for this is benign; an IT administrator grants a user privileges to run a special report, and forgets to rescind the privileges later. Other times, it is because the application administrator accidentally created the same privileged accounts for multiple users. Regardless, it represents a significant threat to any organization that requires immediate attention.

4. Where is your data?

37% of Adallom customers discovered they stored more cloud data in Salesforce than any other cloud storage service. For governance and security purposes, it is critical to understand where corporate data resides and who they are being shared with. Just don’t make the assumption that it only exists in content management systems. The best practice here is to integrate an enterprise storage solution (like Box) for governance, along with a Cloud Access Security Broker for risk management.

5. Sharing is caring, except in the cloud

Sharing in the cloud is extremely easy. After all, collaboration is one of the reasons to move to cloud applications. Users are likely to (accidentally) provide public access to a folder, enable access to a third-party application or share files with their personal email accounts. The statistics are staggering:

• The average company shares files with 393 external domains

• 5% of an average company’s private files are publicly accessible

• 29% of employees share an average of 98 corporate files with their personal email accounts

Best practices include disabling anonymous access and indexing within your SaaS application. This prevents search engines from indexing or crawling documents within SaaS applications. You must also identify oversharing violators, and how third-party ecosystem applications are integrating with your SaaS applications. Cloud access security brokers focused on governance and threat prevention can help with addressing these issues, including removing public access.

Written By

Danelle is a seasoned product and solutions marketing leader with expertise in bringing disruptive security, cloud and AI technologies to market. She has more than 20 years of experience building and scaling GTM teams and positioning companies for growth — from early stage startups to IPO. Prior to Infoblox, Danelle held multiple Chief Marketing Officer roles, including Ordr, Blue Hexagon (acquired by Qualys) and SafeBreach where she helped define and build a new market category. She was also VP strategy and marketing at Adallom (acquired by Microsoft) and played a key role in Palo Alto Networks growth through IPO as a leader in solutions marketing. Earlier in her career, she held senior product management roles at Cisco, overseeing security, networking and VoIP products. She was co-founder of a high-speed networking chipset startup, co-author of an IP Communications Book and holds 2 U.S. patents. She has an MSEE from UC Berkeley.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.