In order to determine the safety of your SaaS apps, and whether or not they pose a threat to your business, you must engage in discovery. You need to understand and know exactly which SaaS apps you have in your SaaS estate so you know how to manage your SaaS layer and understand which apps you should be using with caution (or not at all). That’s why it’s critical that you obtain a security score for your SaaS apps as part of your discovery. A customizable security score will help you make informed decisions regarding your SaaS estate.
“Long gone are the days when organizations controlled all areas of their security,” says cyber security expert Stephanie Benoit-Kurtz. “The threat landscape has changed so rapidly that even if a company’s end users do everything perfectly to protect their assets and identity, a third-party breach can compromise their personal and private information.”
A security score helps you gain a better understanding of your SaaS estate. In a security landscape where it’s easy to become overwhelmed by so many moving parts, this score enables you to rank your SaaS estate effectively and pinpoint potential weak spots in SaaS apps being used by employees quickly and efficiently.
How to Determine Your SaaS Security Score
Understanding exactly what SaaS security requirements are important to your organization is your first step. Wing’s “Three Shield System” automatically breaks down the suggested importance of specific factors, outlined below, but is fully customizable. You can adjust the importance of each factor depending on what matters the most to your organization.
Wing Security for SaaS security provides a sliding scale, with 1 shield equivalent to a low ranking, and 3 shields equivalent to a high ranking. A low ranking indicates that this particular app does not meet your organization’s minimum requirements and that further action is required on the use of the app. A high ranking indicates that the particular app meets your specified requirements and no further action is needed. However continuous monitoring of this app will enable you to quickly become informed if this status were to change. Users can change the weight of 6 individual factors in order to determine your SaaS app security score. The factors are listed below:
The 6 factors that will help you determine your SaaS apps’ security score
- Company size
Whether a solution was created by a start-up or a multinational enterprise, size matters when ranking the security of SaaS apps. A larger company may carry more authority and have stronger security protocols, whereas a smaller company may not be as secure, or could be a risky app itself.
- Marketplace Presence
For this section, Wing looks at the apps in all of the different public marketplaces, made by big companies such as Google or Slack. Wing can then give points depending on how many marketplaces the app is presented in. The reasoning is simple. If an app is approved by one of these big companies, the sheer amount of details and compliances they require means that they have to be at a certain level of security. When an app is approved by many of these companies, you know the app is safe to use and at a high level of security.
- Privacy compliances
A company’s track record in terms of compliance is something that should factor into your SaaS security scoring. Most SaaS apps are privy to very sensitive data, and you need to be sure that this information is being handled and stored properly on their servers. Each company differs as to what compliance standards their apps are required to maintain, depending on their industry.
Compliance varies by geographic location and sector, and includes standards such as GDPR, EU-US and Swiss-US Privacy Shield, CCPA, HIPAA, and ISO27001.
You can decide the overall importance of an app’s compliance standards for your company, and then screen by which apps are within that compliance (or not compliant enough.) SaaS apps that do not meet this minimum requirement can receive a lower score for this section.
- Security compliances
In the same vein as privacy compliances, an app’s security compliances (or lack thereof) speak volumes about the overall safety of the solution. You need to determine which, if any, security compliances to which the app is adhering. This includes standards such as SOC2, SOX, PCI, ISO27001 and HIPPA. You can specify which are most important to your organization, and SaaS apps that do not reach this minimum can receive a lower score for this section.
- API status
Whether or not a SaaS app has an API must be considered when scoring risk. APIs make integrations significantly easier. As they are so common and are given access to lots of sensitive information or software, they need to ensure their backend upholds a certain level of security so that they are safe to use. A proper look into the SaaS security requirements of an app should take into consideration its API.
- Public or private company status
An app’s classification as either a private enterprise or a public company speaks to the internal structures and requirements within an organization. Public companies maintain differing standards around storing sensitive data, as many aspects of their business are a matter of public record, whereas that may not be the case for private companies. If this is very important to your organization, you can assign an app’s status as a public or private company a higher proportion of your overall SaaS app security score.
What Happens When a SaaS app Returns a Low Score?
If a SaaS app scores below your minimum threshold, you can automate the solution to automatically shut down user access to the problematic app or notify the user or security leader to take further action. Wing’s customizable, bespoke system allows you to set the measures that you decide are the best next steps for your business, meaning you can maintain as much or as little control as you like.
See It For Yourself
Seems too good to be true? You wouldn’t be the first one to think that! Contact us today for a demo so we can show you Wing Security’s approach to a SaaS security.