Establishing a SaaS Security Approach

Software-as-a-service (SaaS) applications have provided tremendous value to end users due to their easy setup and collaboration capabilities. However, because SaaS environments are often hidden to network administrators, ­enterprise security tools designed to protect internal data centers, ­servers and ­workstations can’t effectively protect SaaS apps or prevent data ­leakage. Securing SaaS apps largely includes classifying different ­groupings of applications in order to understand what they are doing and how to control them, as well as setting zones of trust to control access. The goal for a SaaS security implementation should be to end up with a set of ­well-­defined and enforced application and usage policies for ­sanctioned, ­tolerated and unsanctioned SaaS applications to better protect the data they house.

The grouping of applications is based on how much trust an organization has in any given application and how each is treated based on the different levels of trust:

• Sanctioned apps give IT teams the confidence to allow majority access based on the security measures the vendors take. They are likely SOC 2-compliant and commonly use encryption and/or single sign-on.
• Tolerated apps aren’t necessarily as strongly trusted as sanctioned apps, but the organization still allows employees to use them, possibly because a partner or vendor uses them, or because the organization is migrating toward sanctioned alternatives.
• Unsanctioned apps are potentially dangerous, known to expose organizations­ to data theft and malware risks. Organizations neither want nor trust individuals to use them, and there is often no legitimate business purpose for doing so.

Some of the challenges in securing SaaS applications include handling end users who sign up for cloud applications without IT approval or governance; monitoring and blocking the use of unsanctioned applications; and dealing with a lack of visibility into data in the cloud.

When establishing a SaaS security approach to protect data and employees from data exposure or threats, organizations should ensure it includes the following:

• Complete visibility across all users and data, providing detailed analysis that helps you transition from a position of speculation to one of certainty at any given time.
• Identification of apps in use to create policies that can specify the application, regardless of port and encryption.
• Retroactive analysis of data exposure that not only looks at data in-line, but also from the creation of the SaaS account itself, no matter how long ago that was.
• Deep analytics into day-to-day usage, allowing quick determination of any data risks or compliance-related policy violations.
• Granular, context-aware policy control that enables the organization to drive enforcement as well as quarantine users and data as soon as a violation occurs.
• Advanced threat prevention that can block known malware as well as identify and block unknown malware.
• Realtime threat intelligence on known and unknown threats to prevent new SaaS-based insertion points for malware “in the wild.”
• Deployment of solutions and functionality without affecting the user experience or degrading performance.

By following these criteria, you will be able to choose a platform that provides the most comprehensive and robust protection for your organization. Securing your SaaS applications – and ultimately your organization’s data – requires a complete end-to-end platform that includes industry-leading next-generation firewalls for your network, a cloud security service to protect your SaaS apps, and advanced threat intelligence to protect against known and unknown threats.

Learn more about vetting SaaS vendors in this blog post: Your SaaS Security Checklist.

Resources:

• E-book: Making SaaS Safe: 7 Requirements for Securing Cloud Applications and Data
• Video: Securing O365 and Cloud Apps with Prisma
• White paper: Secure the Cloud: Cloud-Enabled Mobile Workforce