Skip to content

Secure Your Data: Where to Start When There Are 1 Million Threats

BetterCloud

April 25, 2018

10 minute read

yourdata webinar ftr

TABLE OF CONTENTS

There are seemingly a million security threats and exposures everywhere today. There’s ransomware, malware, phishing, and DDoS attacks, just to name a few — and it’s getting worse. 2017 was the worst year ever for data loss and breaches, and reports reveal that data breaches are happening at a record pace.

These attacks also have a serious impact on your business. Equifax stock plunged 18% after its massive breach; Target earnings slid 46% after its breach.

Given that it’s your responsibility to secure these environments, how do you tackle all these threats? Where do you even start?

Our founder and CEO David Politis recently hosted a webinar on this topic. He explained what the new security frontier is and why IT must start paying attention to it. He also revealed the top three concerns 1,500+ IT professionals have around managing SaaS apps and offered actionable tips for mitigating them.

To access the full recording of the webinar, click here

You probably feel like this

A person enthusiastically plays a whack-a-mole game at an arcade, swiftly using a mallet to strike moving targets. The colorful game console features illuminated score displays and vibrant graphics. In the background, other brightly lit arcade games and people enjoying various activities create a lively and bustling atmosphere.

You at work.

You probably feel like you’re playing a game of whack-a-mole at work. You solve one problem and put out a fire, only to have another one pop up a few minutes later. You’re constantly dealing with change.

Most likely, you’re following best practices

There is a playbook with standard operating procedures for how to secure an IT environment. The evolution of this playbook looks like this:

A computer screen is depicted in the center, surrounded by various server icons and network symbols on a teal background. The text "Secure Endpoints & Servers" appears prominently at the top, indicating a focus on cybersecurity for digital infrastructures.

You’re probably starting with securing your endpoints and servers. This is fundamental, and it’s been that way for decades.

A blue background showcases a network illustration with a computer and servers connected within a circle. At the top, bold text reads "Secure the Network," emphasizing cybersecurity.

At the next layer, you have to secure the network — putting in web-based security and proxies, and understanding what’s happening with traffic coming and going out of your network. This has been best practice for a while now.

A central computer icon is connected to multiple mobile device icons via lines, illustrating a network. Above the diagram, the text "Secure Mobile Devices" is prominently displayed, emphasizing the focus on mobile security within a connected system. The visual conveys the concept of securing various mobile devices through a centralized computer.

In the early 2000s, we started seeing the rise of mobile devices in the workplace. Then people started bringing their own devices to store corporate data. With that paradigm came a new set of security solutions for mobile devices (e.g., MDM, EMM).

Diagram illustrating various secure identity and access methods centered around a main computer. The central computer is surrounded by icons representing Microsoft sign-in, Google sign-in, Dropbox sign-in, Multi-Factor Authentication (MFA), and Security Assertion Markup Language (SAML). Each method is shown as a distinct entity connected to the central computer by arrows, symbolizing multiple ways to access or verify user identity securely.

In the past decade, we’ve seen the rise of IDaaS companies like Okta and OneLogin. They started securing identity — essentially securing access to the applications that are outside of your network.

All of these layers are standard for building your security infrastructure.

You can only secure what you can see

An infographic titled "You Can Only Secure What You Can See" presents a detailed overview of security methods and their respective monitoring and securing scopes. The visual is divided into four main sections: Endpoint, Network, Mobile, and Identity/Access. Each section highlights specific security techniques used for monitoring and protecting assets within that category. For endpoints, it includes antivirus software and behavior monitoring; the network section covers firewalls and intrusion detection systems; mobile security features app management and encryption; identity/access focuses on multi-factor authentication (MFA) and access control. The information is organized to show how visibility in each area contributes to overall cybersecurity effectiveness. Bright colors differentiate the sections, with icons representing various security tools adding clarity to the description.

What you can see is determined by the technology (i.e., the security method) for that particular layer.

Endpoint & server level: At this level, agents can give you specific visibility into local activity on devices and servers. It provides control over that (e.g., device wiping, lockout time, malware protection).

Network level: You can see network activity through packet inspection, which gives you a different view of the world — a different level of control. Traffic is sent through third parties. This type of visibility lets you see where people are going, where traffic is flowing to/from, and malware issues from websites.

Mobile device level: These solutions use APIs for mobile OSes and let you see what’s happening on the device (e.g., configuration, firmware, password settings, which apps are installed, etc).

Identity/access level: As the perimeter continued to extend out, security went beyond local devices and apps. It had to extend to the cloud, and that’s where the IDaaS vendors came in. By using APIs for authentication protocols like SAML and OAuth, they control access to various apps.

But a big question remains…

But as the world continues to shift to SaaS, how do you see things like entitlement changes or overexposed admin privileges? Or sensitive data leakage from apps?

None of this can be seen at the device, network, or identity level. So how do you see any of this information?

A new frontier: The application level is the future of security

A chart titled "You Can Only Secure What You Can See" categorizes security methods based on visibility and coverage at various levels. The levels include Endpoint, Network, Mobile Device, Identity/Access, and Application. Each level features specific security methods designed to provide visibility and enhance security measures pertinent to that category.

In order to see and secure the application level, you need a different method. It’s still API-based, but it requires a different set of APIs. By using APIs for the native apps, you can start seeing entitlement changes, user and admin activity within apps, etc. You can identify improper configurations and data leakages. This is the layer that BetterCloud operates in, and we feel strongly that this layer is the future of security.

Security infographic illustrating multiple login methods such as Microsoft, Google, Dropbox, and SAML. The central area displays these options clearly, surrounded by logos of prominent tech firms including Salesforce, Slack, G Suite, and Box. The layout emphasizes the variety of secure authentication choices integrated with widely-used business tools.

The application layer is the new frontier for IT security. This is where your files are living and where users are making changes. SaaS apps drive collaboration, but they also create massive data sprawl. Think about the amount of data your apps store and the sensitivity of that data. SaaS apps allow us to collaborate with people outside our org, which is beneficial but also creates new attack vectors and data leakage points.

The perimeter is no longer your office or your network. It has extended over time, and now the perimeter includes major SaaS platforms — which you need to secure.

The future of security is API-based

A multi-layered pyramid diagram emphasizing API-based security strategies features seven ascending tiers labeled from bottom to top: "Operations Hygiene," "APIs," "Event/Log Monitoring," "App Control," "Network Visibility," "Encryption," and "Anti-malware." Appearances of additional labels for "Network Proxy" and "APIs" highlight their overarching relevance. The pyramid structure suggests a hierarchical approach, prioritizing foundational security practices at the base and advanced protections near the peak, conveying an integrated method for securing API operations.

SaaS apps started reaching critical mass around 2013-2014. When people started looking for tools to secure these apps, the only real solution available in the market at the time was network-based. That was the only way you could semi-solve the security problem, but it was (and is) like fitting a square peg into a round hole.

Network-based tools are not really the correct way to be securing SaaS apps. Why? Because the context and visibility of what you can see coming through the network is just a tiny portion of what you need to see in order to truly secure SaaS apps. When you start proxying traffic from SaaS platforms, changing user behavior, and creating a new point of failure, you’re using old security methods on a completely new paradigm — it does not work.

Now, to be clear, these are some elements of network-based solutions that are valuable, namely visibility into shadow IT.

But if you’re a digital workplace running on mission critical SaaS apps, then the foundation — the operations hygiene, if you will — is identity and access management. You need to control who has access to what; this is where it all starts.

The next layer after that is all the detail inside the apps — the inspection and constant monitoring of what’s happening. In the same way that you had to be on an endpoint, on a server, in line in the network, or on a device, you need to be in the application itself to provide this type of security. The only way to do that is through APIs.

Once you’re inside the application via its native API, you can start controlling settings, configurations, entitlements, authorizations, and permissioning. That is the only way to get that level of visibility and control — by going to the source of the data.

The top three concerns from 1,500+ IT professionals about managing and securing SaaS apps

In a recent survey, we asked thousands of IT professionals, “What’s your biggest concern about managing and securing SaaS apps?”

1,500 people responded and told us what keeps them up at night. We noticed many common themes but out of all the responses, these were the top three recurring concerns: End user behavior, data loss/leakage, and shadow IT.

1. End user behavior

The graphic titled "End User Behavior" on the left features a quote on the right, emphasizing the significance of login security and data principles. The quote is attributed to an IT manager from a UK construction company. The design employs a professional layout with clean lines and contrasting fonts to highlight both the title and the quote for clear readability.

This is a direct quote that a respondent wrote in our survey. We’re seeing this problem everywhere. SaaS apps reduce friction and drive innovation, and in doing so, have created convenience for end users. They can forward emails at their leisure and share files with just about anyone. This creates an entirely new set of challenges that IT has to deal with, and end users are, unfortunately, driving a lot of those.

Infographic titled "End User Behavior: The Biggest Threats" highlighting five key threats: sharing data externally, excessive admin access, no 2-factor authentication, clicking suspicious links, and reusing passwords. Each threat is accompanied by a relevant icon that visually represents the risk it poses. The design uses a bold color palette with distinct sections for each threat, providing clear and concise information to help users recognize and mitigate these security risks.

Here are some of the end user threats that survey respondents listed. It’s easy to share information with external parties (Slack has Single- and Multi-Channel Guests, email distribution lists can contain external members, and external partners can be added to Salesforce instances) or personal email accounts. It’s also easy to see how end users might share something inappropriately. Apps can be complicated or confusing — users might think they’re sharing something with their org, but it’s actually public on the internet.

End users are not thinking about security, so it’s important to take the following steps to mitigate this threat.

Slide outlining multiple strategies for enhancing end-user behavior in cybersecurity, including employee training programs, stringent access management protocols, implementation of two-factor authentication (2FA), regular phishing simulation exercises, streamlined reporting mechanisms for security incidents, involvement of tech-savvy influencers to promote best practices, and the usage of password management tools. Each strategy is presented with concise bullet points and relevant icons to aid quick comprehension.

To fix these threats, we recommend phishing your own employees (here’s how we did it) and putting in place a password management tool, if not a full identity solution.

A big piece of this involves a change in your role. IT now needs to be in front of end users more often, educating and evangelizing the importance of security. End users will always be one of your biggest security risks, so it’s important they are conscious of what they’re doing in SaaS apps.

2. Data loss/leakage

A blue slide titled "Data Loss/Leakage" features a quotation concerning data leakage or loss resulting from unsecure features. The quote is attributed to a CISO from a real estate company in California. The slide uses white text for readability, and the background includes subtle tech-themed graphics to visually emphasize the topic of cybersecurity.

The part of this quote that stuck out the most to us was “were not aware of.” This goes back to the concept of blind spots — you don’t know what you don’t know. When you have massive data sprawl and dozens of disparate SaaS apps, it’s impossible to know everything.

A blue slide highlights "The Biggest Threats" to data loss or leakage, listing ex-employees, groups and channels, public calendars, contractors, misconfigured privacy settings, and public files containing sensitive information. The background is a gradient of blue shades which enhances the text's readability and emphasizes the critical points about data security risks.

The biggest threats that we’ve seen are around file sharing — for example, people sharing files incorrectly at a global level. The mistakes can be unintentional or malicious (e.g., downloading files and sharing them with a competitor). We’ve even heard stories where ex-employees still have access to corporate data years after their departure.

This is not IT’s fault. It’s extremely challenging to get visibility manually across all your SaaS apps, and it’s not a scalable process.

Slide addressing data loss and leakage prevention strategies. Bullet points include: *Know what information exists*, emphasizing the importance of identifying and cataloging sensitive data; *Establish consistent employee offboarding processes*, highlighting procedures to ensure secure data handling when employees leave; and *Understand configurations, entitlements, and privacy settings*, stressing the need to manage access controls and system settings to protect information. The slide features a professional layout with clear, legible text, organized to facilitate easy reading and comprehension.

As best you can, centralize all this information. Understand (and audit) what exists. Knowing is more than half the battle. The first step is just understanding what is out there, where your potential exposure points might be, and which apps you need to focus on securing. Next, you need to get processes and policies in place. They should be consistent, documented, and shared across the org.

3. Shadow IT

Text on a webpage addressing concerns surrounding shadow IT, featuring quotes from an IT Manager at an internet company with 550 employees in France. The text highlights the risks associated with unauthorized tool subscriptions and potential security breaches.

Every major platform has a marketplace (examples: Chrome Web Store, G Suite Marketplace, Zendesk App Marketplace, etc.) where users can install third-party apps without IT’s knowledge or approval. There are more and more integrated apps being built every day, and it’s become the norm. However, in many cases, these apps access an organization’s core apps which contain the most sensitive information, opening the door to the possibility of data breaches.

Slide titled "Shadow IT: The Biggest Threats" lists key issues including rogue users, third-party app risks, data exfiltration, data breaches, cost implications, information silos, and the risk of unintended malware or ransomware.

We’ve seen companies where one department goes rogue and decides to start using Slack without IT’s knowledge or approval. Soon, more and more teams join until 90% of the company is on Slack. As a result, when it comes time to offboard users, nobody is managing the Slack offboarding process (because IT is not aware or involved). This means ex-employees retain access to corporate data, increasing the risk of sensitive data exposure.

The reality is: Shadow IT is happening, whether you like it or not.

Slide titled "Shadow IT: How Do You Fix These Threats?" outlines four strategies: 1. Sanctioning SaaS apps. 2. Making it easy for users to work with IT. 3. Developing a structured review process. 4. Locking down user permissions. The slide content is focused on addressing security threats associated with shadow IT by implementing these key measures.

To combat shadow IT, it all comes down to understanding why this is even happening in the first place. IT is still not viewed in many orgs as a “friendly” team that will allow end users to use the apps they want to. Therefore IT needs to create a very different culture. IT must emphasize that they want to help users be successful and use apps that make them the most productive.

To do so, create a process that makes it easy for users to bring apps to you. IT can sanction and review the app properly and help with the purchase in a centralized way.

If users feel like that’s an option for them, then there’s a massive opportunity to change the way your organization works and reduce the risk of data breaches and attacks vectors.

The sooner you take control and manage and sanction these apps, the sooner you’ll make a big difference in your org.

That was just a sampling of threats

Infographic detailing cybersecurity threats with colorful icons and brief descriptions for each: GDPR compliance, user access control, privileged access, automation, ransomware, phishing, data backup, staff workload, and security gaps. Brightly colored headers mark each threat category with corresponding symbols like shields for protection topics and warning triangles for threats. The layout is clear to highlight the importance of addressing each issue in maintaining robust cybersecurity measures.

We covered three threats above, but there are still a million more out there. Here are just some of the additional threats that your peers mentioned in our survey.

We’re offering a free security assessment for a limited time

Text stating "Get Your Free Security Assessment" is prominently displayed, with a blurred web link beneath it. In the background, a faint outline of a padlock provides context related to security.

For a limited time only, BetterCloud is offering a free SaaS security assessment. We can tell you which (if any) files are exposed, if your users are forwarding emails to personal accounts, if any groups are public, which users haven’t logged in in a certain amount of time, and more. We’ll need about 30 minutes of your time and a super admin from your organization.

Click here to request a free SaaS security assessment.

Our CEO’s prediction for the future

A cardboard laptop with intricate detailing showcasing keys and screen is prominently displayed against a plain background. The word "Prediction" appears on the right side in bold, clear text, emphasizing a theme of foresight or future planning associated with the handmade, eco-friendly device.

This is David’s personal prediction: It may take us 10 or 15 years since we’re still in the beginning chapters of the shift to SaaS, but we’ll reach a point one day where endpoints won’t really matter.

Think about Chromebooks. There’s no OS, really — it’s just Chrome. Sure, you may want to secure things like passwords and logout time, but there’s not really any data on the device. It’s just an access point, a way to get on the internet (and by extension, to SaaS apps).

The extended perimeter is where all the security has to happen at the API level. Your data (e.g., settings, permissions, roles, identity, access) must be secure at the API layer — that’s going to be the most important layer of security. That’s where all your mission critical, sensitive, and valuable data will live. If you’re secure there, then you’re good everywhere else.

To request a free SaaS security assessment that will identify data exposure and non-compliance areas in your environment, click here.

Categories

Related Articles