For more expert guidance and tips on Zero Trust, click here to read our whitepaper: A Guide to Effective SaaS Management Using a Zero Trust Security Model.
With the shift to remote work and continued acceleration of SaaS adoption, this new way of working is impacting IT operations everywhere. In particular, it’s driving a need for a security model that helps keep organizations and data safe regardless of location. Enter: Zero Trust, which is more relevant than ever.
Originating as a security framework in 2009, Zero Trust is hardly new. Introduced by Forrester, Zero Trust was initially a security framework and a strategy to guide security teams. It provided the blueprint on:
- micro-segmenting networks to inspect and log all network traffic in real time,
- securing data and resources regardless of location, and
- reducing risks of overly permissive user privileges and access.
In addition, it included improved security anomaly detection and data protection with detailed analytics and response with automation.
Here, we talk about shared commonalities between the newer Zero Trust eXtended (ZTX) model and SaaSOps—specifically visibility and automated data protection. We also touch on how automating data protection and user orchestration alerting aids your pursuit of Zero Trust security. Finally, we talk about how SaaS-powered enterprises can start protecting their SaaS data today.
Rise of mobility and SaaS drive adoption of both SaaSOps and Zero Trust ZTX
Just as SaaS and mobility drove the emergence of SaaSOps, they also gave rise to “person-centric” network perimeters. Thus, in 2018, this concept was introduced in Forrester’s first update to Zero Trust. Known as Zero Trust eXtended (ZTX), the basic concepts are similar to the original Zero Trust framework—i.e., people are untrusted in the system, but the modernized version makes data access by person-centric perimeters central to effective security practices.
And for the first time, Zero Trust ZTX officially extends across the broad digital workplace to include:
- Endpoint devices
… and how each of these four interact with data—making data and its protection the heart of Zero Trust eXtended.
Click here to see the components of Forrester’s Zero Trust eXtended (ZTX) Ecosystem. Pillars include automation and orchestration, as well as visibility and analytics.
So now, data protection in Zero Trust ZTX means that you apply trust by verifying people and getting visibility into how data is used—just like in SaaSOps.
And the very nature of this change evolves Zero Trust from a security blueprint into an ecosystem of technologies to include functions like automation, products like single-sign on and privileged access management, and features like visibility as well as data protection and user orchestration alerting.
Why SaaS-powered enterprises need automated alerts for Zero Trust
100% visibility is impossible to achieve when the average IT department must manage and secure thousands, if not millions, of user interactions across multiple SaaS applications. Interactions are the actions your users are taking to get work done. (Examples: Sending a Google Drive file to a coworker in Slack, exporting Salesforce reports, or sharing a file publicly in Dropbox.) And manual IT processes alone can’t scale fast enough to tackle data protection challenges that result from exponential data growth.
And if that logic isn’t convincing enough, let’s take a look at the top 10 most common data protection alerts for BetterCloud customers.
Top data protection alerts in BetterCloud
As the table below shows, nearly all organizations had automated data protection alerts triggered for “group settings that allow anyone to post” and for users with “email forwarding enabled.”
During the same period, nearly half of all organizations had a super admin added to a SaaS app. This, of course, certainly highlights how difficult SaaS makes it to follow the Zero Trust principle of least privilege access!
It’s also alarming that nearly 26% of organizations had alerts for folders and files shared externally. Nearly a quarter of organizations had alerts for email forwards to personal Gmail accounts or with large files. All of these data protection alerts could be an insider threat or unintended negligence. Regardless of the cause, these data protection alerts need a response.
|Top 10 data protection alerts||% of Organizations|
|Groups: Anyone can post||87.1%|
|Users: Email forwarding enabled||71.2%|
|Super administrator added||48.0%|
|Groups: Allow external members||32.4%|
|Users: Email forwarded to Gmail||24.5%|
|Files larger than 25MB added||22.0%|
|Folders shared externally||17.4%|
|Files shared externally||13.2%|
|Files with public sharing links||12.7%|
Source: BetterCloud internal data, 2019
Top user orchestration alerts in BetterCloud
And user orchestration alerts don’t show a better story. All organizations get alerted to empty groups—some multiple times. Nearly two-thirds get alerted for super admin threshold violations.
|Top 7 user orchestration alerts||% of Organizations|
|Super administrator count exceeds threshold||67.5%
|Administrator count exceeds threshold||50.8%|
|Users without two-factor authentication||26.6%|
|Empty public Slack channels||26.1%|
|Single-channel Slack guest added to team||23.9%|
|Multi-channel Slack guest added to team||23%|
Source: BetterCloud internal data, 2019
At the usual ratio of one IT person to about 100 users, manual detection of just the top 10 data protection alerts would, no doubt, be a full-time job.
Your data: the first stop on the Zero Trust journey
There are many Zero Trust best practices to consider, but in the SaaSOps world, it all starts with your enterprise’s SaaS data. At a very minimum, you need to know:
- What sensitive SaaS data to protect, as not all data is created equal
- Assigned user roles for people interacting with that SaaS data
- SaaS data flows between apps, user roles, partners, external users, and devices (e.g., user interactions) that need data protection
But before you can answer these tough questions, you can’t manage—or create automated alerts for—what you don’t know. So the next step is to understand the big picture of your SaaS apps as well as the details of them.
Get visibility into your SaaS environment
In securing your SaaS environment, visibility is the first hurdle. After all, enterprises cannot manage and secure the unknown. On the journey to Zero Trust, it’s important to know the following:
- All SaaS apps used (IT-sanctioned or not)
- All users, groups, and files across SaaS apps and instances
- Application settings and controls across SaaS apps
- Domain access level requests by each SaaS app
- Third-party apps installed on your domain
- Third-party browser extensions installed by users
- Third-party mobile apps installed by users
- Add-ons installed by users
- Failed user login spikes
- Users who haven’t enrolled in (or have disabled) multi-factor authentication
- Users who have not logged into SaaS apps in 30/60/90 days (i.e., inactive licenses)
- Total number of super admins across SaaS apps
- Empty or unused groups/channels across SaaS apps
Armed with the bigger picture, you’re ready to take advantage of policies for automated SaaS data protection and user orchestration alerting.
Create policies to increase data protection
After enterprises learn about the SaaS environment, it’s time to get to work on policies that will secure and automate your data protection and user orchestration. To do this, enterprises need to consider least access privileges by user, data, and SaaS app for establishing trust level. In addition, it’s also important to consider when trust should change, like too many email forwards within a short interval.
For example, enterprises can create standardized and/or automated processes for user changes like promotions, department changes, or even when someone joins a new project.
Policies can also govern automated access to new folders, calendars, sites, and applications that such user changes may require.
And they don’t need to stop there. Data protection policies can give temporary elevated access rights, just as they can shut down accounts when there is a compromised account or missing endpoint device. Finally, policies can also automate both data protection and user orchestrations alerts.
To learn more about how BetterCloud’s data protection functionality can help you on your Zero Trust journey, request a demo.