SaaS Security refers to securing the attack surface created by organizational-wide SaaS usage, and securing the information found within all those SaaS applications.
As SaaS usage has grown to the point that nearly all businesses use SaaS in one way or another, so have the risks it brings. Saas security is about protecting everything SaaS related. From the access that SaaS allows, to protecting the very data that resides in the SaaS apps themselves. With proper SaaS security, everyone throughout the organization can use SaaS freely without compromising cybersecurity.
What is SaaS anyways?
SaaS stands for Software as a Service, (here’s how you pronounce it) and it was a groundbreaking concept when it first came out. While IBM was hosting parts of their client’s software as early as 1950, the first real SaaS came out in 1999 when Salesforce offered their sales CRM (customer relationship management) software in what was a steal-of-a-deal back then. Instead of charging for the entire software suite up-front, Salesforce allowed customers to try the software free at first, and then they would pay a monthly/yearly subscription once they decided it was for them. No costly implementation, no servers to set up. And if anyone’s computer stopped working for any reason, they could just login from any other computer and continue right where they left off. It was a brave new world.
After Salesforce introduced the world to SaaS, it quickly caught on and became one of the more common ways to sell software. And since SaaS also helped companies ramp up their revenue as they sold their software, it also made good business sense.
The “old” way of buying software has quickly grown extremely outdated and not a realistic business model any longer. The large onboarding costs, lots of IT’s time for installing and updating the software, and oversized up-front licensing fees, are all negated by the SaaS model. So while the nuances and details of defining what is exactly considered SaaS might evolve, SaaS is here to stay for the foreseeable future in one way or another.
Don’t SaaS apps have their own built-in security?
Most SaaS apps live ‘in the cloud’, and other than the work that was done in the past few seconds, everything is saved on that cloud too. Everything is also backed-up and secured on that same cloud. Those clouds are usually secured at a fairly robust level and can’t be so easily hacked. But, if they ever are, it is important that any SaaS security system retains the capability of shutting down that particular SaaS application in the event it ever gets compromised, so that the attack’s reach into your organization can be cut off.
Cyber-security is a two-way street. While SaaS companies do a lot to secure their apps, users also have to take responsibility to make sure they use these apps in a way that doesn’t put their organization at risk; such as granting unnecessary permissions or sharing sensitive data, etc.
Blindspots and Security Gaps in SaaS Apps
So if most SaaS apps have all their cloud-security in place, why is SaaS security needed?
Here are some common ways that threats are presented in SaaS security:
Apps themselves that are kinda sus – While most SaaS apps are fairly safe, there are SaaS apps that themselves are a security risk. These can either be apps that are so new that no one knows enough about them, or it could be apps that are missing specific details or compliances that would make them safer. In addition, sometimes an app might just be an easy target or has a known vulnerability, which makes them a risk. Just by knowing the risk level of each app, a decision can be made to find an alternative, or use the app but with greater precautions in place.
All those app2app connections – A large piece of the puzzle with SaaS usage is the app2app connections. An example of an app2app connection would be when users log-in to Zoom using Google, or connecting Slack to Google Drive. While these app2app connections are super convenient for everyone, they also create a sort of “shadow network” that attackers could exploit to gain lateral movements within the organization. In essence, there’s a whole new “almost hidden” network that is created by these app2app connections, and securing them is an important part of SaaS security.
That one user – Sometimes, the security threats can be narrowed down to specific users. Could be a user that overshares and grants too many tokens and permissions. Could be a user that over-shares sensitive information on the Slack channels or inconsistencies when they give permissions in certain apps. And it could be some kind of inconsistency in user activity. Or it could be an ex-employee that was never properly off-boarded that’s still shpatzir-ing within the organization’s SaaS for some reason. One study even estimated that 50% of employees can still access their corporate apps. Quickly finding user related problems like these and other user-inconsistencies is critical for SaaS security.
So much over-sharing – One of the great things about SaaS is how it enables users to share and work on the same file both asynchronously or simultaneously, all they need to have is access and permissions granted, which is just a few clicks! The problem is, no one ever revokes sharing, so leaving all these open shares creates a fairly wide attack surface. Add that up over a few years and it really becomes a liability.
How Wing’s SaaS security reduces these threats
Wing Security is a SaaS security platform that provides the best of both worlds: Fully-automated 360° of SaaS Security, while maintaining non-intrusiveness.
Here’s how it works:
Non-intrusive Discovery – Wing uses a non-intrusive method for discovering all your SaaS usage, using read-only permissions to “connectors” that are used to login to all the Saas apps, such as Google or Slack, and Wing works with many others too. In addition, Wing non-intrusively queries the end-points for known SaaS signatures to complete the picture. This way, Wing finds all SaaS usage across the organization, while maintaining non-intrusiveness.
App Security Ranking – Wing applies a ranking system to show the risk level of all SaaS apps across the organization. The ranking is based on a combination of factors such as how long the SaaS has been around, the size of the company providing the SaaS, is it a public or private company, as well as history of known vulnerabilities and compliance issues. Security teams can also decide that some apps are forbidden in their organization either based on security ranking, or any other reasons.
Issue Categorization – Wing triages all issues that it finds into 3 categories:
- Shared Resources, such as a file or repository
Remediation and involving the end-users – Providing a list of issues without great tools to fix them wouldn’t be much help. Wing provides powerful tools that make it easy to deny apps, revoke or restrict users, and withdraw permissions for shared files or repositories. And to make sure that nothing is erroneously revoked or removed, Wing makes it easy to loop in the end-users into the process so that if something important is on that SaaS, it can remain there
Built-in Automation – Wing comes with built-in automation, making it really easy to implement a policy for most known issues and have the parameters set by that policy invoked automatically by Wing in the background.
Ongoing Monitoring – The task of securing all of your SaaS is an ongoing endeavor. As new SaaS apps are on-boarded all the time, as well as new users and resources being shared. Wing stays with you for the long run to keep your SaaS secure, and makes it easy to let all your workers use SaaS securely.
Ending the Shadow IT Network
SaaS security is about securing the “Shadow Network” that’s created by all the SaaS that an organization uses. It’s important to take a proactive stance in securing all of the SaaS that is being used, as well as continuously monitoring for any new or changed usage. Wing provides the best of both worlds: Fully-automated 360° of SaaS Security, while maintaining non-intrusiveness. With Wing, you can be sure that your SaaS is secure.