With 2020’s unexpected acceleration of remote work and rapid SaaS adoption, new SaaS security risks have come along with it. Building on recent articles on what SaaS management platforms (SMPs) do, how they help in SaaS operations, and their important role in optimizing both IT budgets and SaaS operations, we take on how SaaS management platforms reduce security risk.
Common SaaS security pitfalls
There are three common ways that enterprises fall short in SaaS security. Every SaaS-using enterprise, whether they know it or not, experiences issues related to app misconfigurations, excessive permissions, and uncontrolled sharing.
Knowing their impacts help you to understand how SaaS management platforms reduce security risk.
So let’s dive in.
Too many app misconfigurations lead to security problems.
Have you ever set up a new SaaS application like Google Workspace or Microsoft 365? If you did, you probably discovered there’s a myriad of settings and controls for users, groups, and files buried in different menus in the admin consoles. They control a broad range of actions like which users can share which files and to whom. And while all of these settings have built-in defaults, you need to change them so they’re in accordance to your organization’s documented security policy … without screwing up, of course. Then once you get an app set up, you must monitor it.
You need to watch for risky changes in settings as employees add files, change group settings, and collaborate with users outside of your company like partners, contractors, or agencies.
Needless to say, with thousands of settings available within a single application, monitoring these configurations is an ongoing challenge.
Multiply this process, now, by the number of applications in your environment.
For potentially hundreds of different applications that constantly change, security and IT teams have the impossible task of being experts in each native admin console to constantly manage configurations.
No team made up of humans can possibly be expert at all times for all apps. Thus, enterprises are always at risk for application misconfigurations and security failures that may result.
Excessive permissions cause security risk.
An individual SaaS application has its own predetermined levels of access for administrators. And again, there’s no consistency across all the applications in your enterprise.
Each one is different. So IT teams must retrofit inflexible role definitions to administrator’s responsibilities while trying to comply with security policies. All too frequently, that means granting access to more data and controls than necessary for the job. And as a byproduct, security takes a backseat.
IT teams, little by little over time, extend too many permissions for SaaS apps. Blanket administrator permissions get passed out like candy to so many users that IT no longer has visibility. They don’t know how many administrators they have nor who really needs this access level.
When this happens, of course, the risk of an accidental or malicious security breach grows.
Uncontrolled and inadvertent sharing can lead to data loss.
According to BetterCloud research, 62% of respondents believe that the biggest security threat comes from well-meaning, but negligent employees. So insider threats are not always a disgruntled employee out to steal the intellectual property crown jewels.
Instead, it’s usually an employee simply trying to get the job done. Think of customer information in a single Microsoft 365 or Google Workspace spreadsheet. Made by a single user, it’s shared down to lower ranks, up to the CEO and CRO, and out to contractors—some who are part-time. It touches multiple SaaS apps along the way including Salesforce, Dropbox, Box, Slack, and personal Outlook accounts.
That same file for a single user is used by four different apps. And let’s say that user also uses an add-in to Office 365 for couponing and for restaurant reservations. Left unchecked, the SaaS environment becomes plagued with unknown apps and add-ins, making it difficult for even the best IT teams to secure.
You ultimately cannot control risk you can’t see
Lack of visibility of the SaaS environment underpins all of these SaaS security pitfalls.
Without a way to have centralized and continuous visibility of users, access, app privileges, and activity in your SaaS environment, you simply can’t control security risk to the degree necessary.
Without normalized data enriched with context about apps, users, files, groups, and interactions, speedy remediation is that much more difficult.
SaaS management platforms, fortunately, tackle all of these security risks.
How SaaS management platforms reduce security risks
There are two broad mechanisms in a SaaS management platform for reducing security risk. They’re inseparable, like two sides of the same coin.
On one side, SMP insights and analytics give IT complete understanding and visibility of critical SaaS applications, files, users, and interactions.
Then on the other side, SMPs give IT control via automated policies, security alerts, and remediation. They keep enterprise data safe because policies and processes continuously monitor for potential threats, and normalized data enriched with context enable meaningful security alerts, as well as automated remediation.
Taken together, an SMP gives data-driven visibility into both sanctioned and unsanctioned SaaS applications to allow IT to control and secure the SaaS environment.
SMPs monitor applications and configurations for risky changes.
This is top on the list of how SaaS management platforms reduce risk: an SMP automatically identifies new SaaS apps as well as changes in settings, including user, group, file, and folder settings, which may be suspicious behavior. It then proceeds to use that information for real-time alerts to IT.
Once identified, that information is fed into a workflow system set up to assess the potential risk to the business and automate the appropriate remediation path.
IT configures remediation using the administrator actions available in SaaS applications, such as changing the settings, suspending the user, or sending a notification via email or Slack to the appropriate teams.
SaaS management platforms reduce security risk by maintaining least privilege access.
To keep your SaaS environment secure, it is critical that SaaS app administrators access only what they need. To accomplish this task, SMPs provide configurable administrator roles and permissions that allow administrators to only access the controls they need, and nothing more. With custom roles, IT teams can control access to sensitive data and settings, and enhance security across the entire environment.
How the best SaaS management platforms reduce risk is by allowing highly granular permissions based on:
- access to data objects (such as users, groups, or files)
- type of control (such as the ability to edit document settings versus delete a document), and
- the ability to trigger an automated workflow. In addition, it should allow for an unlimited number of roles and permissions.
This level of granularity and flexibility prevents administrators from getting access to data objects and controls they do not need.
Finally, the best SaaS management platforms reduce risk in another way. They continuously audit the number of administrators in an environment and then automatically alert IT if the number exceeds a set threshold or automatically prevent that threshold from being exceeded.
SMPs lower security risk by preventing inappropriate data sharing.
To protect against data loss, a SaaS management platform allows IT to set up granular data protection policies according to their security policy. It needs to cover files and folders and the range of how sharing is allowed to occur, as well as sensitive data definitions across applications, and actions IT should take if there’s a violation.
SaaS management platforms then reduce risk by performing two important functions. First, they proactively secure data by monitoring for:
- Sensitive files being publicly or externally shared
- Sensitive folder paths, like accounting or finance, being publicly or externally shared
- Sensitive file forwarding to a personal email account (e.g., Gmail, Yahoo)
- Sensitive data exposure from executives (e.g., CEO, CFO)
- Specific file types being publicly or externally shared (e.g., spreadsheets and PDFs are more likely to contain sensitive information)
- Users who should no longer have access to specific files, folders, calendars, etc. (e.g., consultants, interns, employees who’ve switched teams)
- Users who should no longer belong to specific groups/distribution lists (e.g., contractors, employees who’ve switched teams)
- External domains to which files are shared
- External people with whom files are shared
Second, an SMP reduces risk by regularly scanning files and content for sensitive data sharing like:
- Personal identifiable information (PII)
- Protected health information (PHI)
- Payment information
- Intellectual property (IP) or trade secrets
- Executable files (.exe)
- Encryption keys
- Keywords that may signal sensitive information, like “Confidential” or “Internal Use Only” or confidential project names
So how else do SaaS management platforms reduce security risk associated with data protection?
The best SMPs allow you to set up automated workflows to remediate threats. And just as importantly, they make it easy for you by including a library of pre-set administrator actions to quickly remediate sensitive content oversharing across all applications.
Request a demo to see how adding BetterCloud to your security infrastructure can help you reduce your security risk, boost your security posture, and stay in compliance.