There are seemingly a million security threats and exposures everywhere today. There’s ransomware, malware, phishing, and DDoS attacks, just to name a few — and it’s getting worse. 2017 was the worst year ever for data loss and breaches, and reports reveal that data breaches are happening at a record pace.
These attacks also have a serious impact on your business. Equifax stock plunged 18% after its massive breach; Target earnings slid 46% after its breach.
Given that it’s your responsibility to secure these environments, how do you tackle all these threats? Where do you even start?
Our founder and CEO David Politis recently hosted a webinar on this topic. He explained what the new security frontier is and why IT must start paying attention to it. He also revealed the top three concerns 1,500+ IT professionals have around managing SaaS apps and offered actionable tips for mitigating them.
You probably feel like this
You probably feel like you’re playing a game of whack-a-mole at work. You solve one problem and put out a fire, only to have another one pop up a few minutes later. You’re constantly dealing with change.
Most likely, you’re following best practices
There is a playbook with standard operating procedures for how to secure an IT environment. The evolution of this playbook looks like this:
You’re probably starting with securing your endpoints and servers. This is fundamental, and it’s been that way for decades.
At the next layer, you have to secure the network — putting in web-based security and proxies, and understanding what’s happening with traffic coming and going out of your network. This has been best practice for a while now.
In the early 2000s, we started seeing the rise of mobile devices in the workplace. Then people started bringing their own devices to store corporate data. With that paradigm came a new set of security solutions for mobile devices (e.g., MDM, EMM).
In the past decade, we’ve seen the rise of IDaaS companies like Okta and OneLogin. They started securing identity — essentially securing access to the applications that are outside of your network.
All of these layers are standard for building your security infrastructure.
You can only secure what you can see
What you can see is determined by the technology (i.e., the security method) for that particular layer.
Endpoint & server level: At this level, agents can give you specific visibility into local activity on devices and servers. It provides control over that (e.g., device wiping, lockout time, malware protection).
Network level: You can see network activity through packet inspection, which gives you a different view of the world — a different level of control. Traffic is sent through third parties. This type of visibility lets you see where people are going, where traffic is flowing to/from, and malware issues from websites.
Mobile device level: These solutions use APIs for mobile OSes and let you see what’s happening on the device (e.g., configuration, firmware, password settings, which apps are installed, etc).
Identity/access level: As the perimeter continued to extend out, security went beyond local devices and apps. It had to extend to the cloud, and that’s where the IDaaS vendors came in. By using APIs for authentication protocols like SAML and OAuth, they control access to various apps.
But a big question remains…
But as the world continues to shift to SaaS, how do you see things like entitlement changes or overexposed admin privileges? Or sensitive data leakage from apps?
None of this can be seen at the device, network, or identity level. So how do you see any of this information?
A new frontier: The application level is the future of security
In order to see and secure the application level, you need a different method. It’s still API-based, but it requires a different set of APIs. By using APIs for the native apps, you can start seeing entitlement changes, user and admin activity within apps, etc. You can identify improper configurations and data leakages. This is the layer that BetterCloud operates in, and we feel strongly that this layer is the future of security.
The application layer is the new frontier for IT security. This is where your files are living and where users are making changes. SaaS apps drive collaboration, but they also create massive data sprawl. Think about the amount of data your apps store and the sensitivity of that data. SaaS apps allow us to collaborate with people outside our org, which is beneficial but also creates new attack vectors and data leakage points.
The perimeter is no longer your office or your network. It has extended over time, and now the perimeter includes major SaaS platforms — which you need to secure.
The future of security is API-based
SaaS apps started reaching critical mass around 2013-2014. When people started looking for tools to secure these apps, the only real solution available in the market at the time was network-based. That was the only way you could semi-solve the security problem, but it was (and is) like fitting a square peg into a round hole.
Network-based tools are not really the correct way to be securing SaaS apps. Why? Because the context and visibility of what you can see coming through the network is just a tiny portion of what you need to see in order to truly secure SaaS apps. When you start proxying traffic from SaaS platforms, changing user behavior, and a creating a new point of failure, you’re using old security methods on a completely new paradigm — it does not work.
Now, to be clear, these are some elements of network-based solutions that are valuable, namely visibility into shadow IT.
But if you’re a digital workplace running on mission critical SaaS apps, then the foundation — the operations hygiene, if you will — is identity and access management. You need to control who has access to what; this is where it all starts.
The next layer after that is all the detail inside the apps — the inspection and constant monitoring of what’s happening. In the same way that you had to be on an endpoint, on a server, in line in the network, or on a device, you need to be in the application itself to provide this type of security. The only way to do that is through APIs.
Once you’re inside the application via its native API, you can start controlling settings, configurations, entitlements, authorizations, and permissioning. That is the only way to get that level of visibility and control — by going to the source of the data.
The top three concerns from 1,500+ IT professionals about managing and securing SaaS apps
In a recent survey, we asked thousands of IT professionals, “What’s your biggest concern about managing and securing SaaS apps?”
1,500 people responded and told us what keeps them up at night. We noticed many common themes but out of all the responses, these were the top three recurring concerns: End user behavior, data loss/leakage, and shadow IT.
1. End user behavior
This is a direct quote that a respondent wrote in our survey. We’re seeing this problem everywhere. SaaS apps reduce friction and drive innovation, and in doing so, have created convenience for end users. They can forward emails at their leisure and share files with just about anyone. This creates an entirely new set of challenges that IT has to deal with, and end users are, unfortunately, driving a lot of those.
Here are some of the end user threats that survey respondents listed. It’s easy to share information with external parties (Slack has Single- and Multi-Channel Guests, email distribution lists can contain external members, and external partners can be added to Salesforce instances) or personal email accounts. It’s also easy to see how end users might share something inappropriately. Apps can be complicated or confusing — users might think they’re sharing something with their org, but it’s actually public on the internet.
End users are not thinking about security, so it’s important to take the following steps to mitigate this threat.
To fix these threats, we recommend phishing your own employees (here’s how we did it) and putting in place a password management tool, if not a full identity solution.
A big piece of this involves a change in your role. IT now needs to be in front of end users more often, educating and evangelizing the importance of security. End users will always be one of your biggest security risks, so it’s important they are conscious of what they’re doing in SaaS apps.
2. Data loss/leakage
The part of this quote that stuck out the most to us was “were not aware of.” This goes back to the concept of blind spots — you don’t know what you don’t know. When you have massive data sprawl and dozens of disparate SaaS apps, it’s impossible to know everything.
The biggest threats that we’ve seen are around file sharing — for example, people sharing files incorrectly at a global level. The mistakes can be unintentional or malicious (e.g., downloading files and sharing them with a competitor). We’ve even heard stories where ex-employees still have access to corporate data years after their departure.
This is not IT’s fault. It’s extremely challenging to get visibility manually across all your SaaS apps, and it’s not a scalable process.
As best you can, centralize all this information. Understand (and audit) what exists. Knowing is more than half the battle. The first step is just understanding what is out there, where your potential exposure points might be, and which apps you need to focus on securing. Next, you need to get processes and policies in place. They should be consistent, documented, and shared across the org.
3. Shadow IT
Every major platform has a marketplace (examples: Chrome Web Store, G Suite Marketplace, Zendesk App Marketplace, etc.) where users can install third-party apps without IT’s knowledge or approval. There are more and more integrated apps being built every day, and it’s become the norm. However, in many cases, these apps access an organization’s core apps which contain the most sensitive information, opening the door to the possibility of data breaches.
We’ve seen companies where one department goes rogue and decides to start using Slack without IT’s knowledge or approval. Soon, more and more teams join until 90% of the company is on Slack. As a result, when it comes time to offboard users, nobody is managing the Slack offboarding process (because IT is not aware or involved). This means ex-employees retain access to corporate data, increasing the risk of sensitive data exposure.
The reality is: Shadow IT is happening, whether you like it or not.
To combat shadow IT, it all comes down to understanding why this is even happening in the first place. IT is still not viewed in many orgs as a “friendly” team that will allow end users to use the apps they want to. Therefore IT needs to create a very different culture. IT must emphasize that they want to help users be successful and use apps that make them the most productive.
To do so, create a process that makes it easy for users to bring apps to you. IT can sanction and review the app properly and help with the purchase in a centralized way.
If users feel like that’s an option for them, then there’s a massive opportunity to change the way your organization works and reduce the risk of data breaches and attacks vectors.
The sooner you take control and manage and sanction these apps, the sooner you’ll make a big difference in your org.
That was just a sampling of threats
We covered three threats above, but there are still a million more out there. Here are just some of the additional threats that your peers mentioned in our survey.
We’re offering a free security assessment for a limited time
For a limited time only, BetterCloud is offering a free SaaS security assessment. We can tell you which (if any) files are exposed, if your users are forwarding emails to personal accounts, if any groups are public, which users haven’t logged in in a certain amount of time, and more. We’ll need about 30 minutes of your time and a super admin from your organization.
Our CEO’s prediction for the future
This is David’s personal prediction: It may take us 10 or 15 years since we’re still in the beginning chapters of the shift to SaaS, but we’ll reach a point one day where endpoints won’t really matter.
Think about Chromebooks. There’s no OS, really — it’s just Chrome. Sure, you may want to secure things like passwords and logout time, but there’s not really any data on the device. It’s just an access point, a way to get on the internet (and by extension, to SaaS apps).
The extended perimeter is where all the security has to happen at the API level. Your data (e.g., settings, permissions, roles, identity, access) must be secure at the API layer — that’s going to be the most important layer of security. That’s where all your mission critical, sensitive, and valuable data will live. If you’re secure there, then you’re good everywhere else.