This article is excerpted from BetterCloud CEO David Politis’s new book, The IT Leader’s Guide to SaaSOps (Volume 2): How to Secure Your SaaS Applications. To learn more and get a copy of the book, click here.
Managing and securing tens of millions of interactions day to day across the digital workplace might seem like a Herculean task.
To start with, there are key operational processes in your SaaS environment to review, consider, and implement. Here’s a comprehensive best practices checklist for SaaSOps that you can begin tackling today.
Download our IT Leader’s Checklist for SaaS Operations right here.
But beyond those tactical steps, you can also start on a broader, more strategic SaaSOps action plan. This should be a long-term data protection plan, but it works in-line with the tactics in the checklist above.
1. Identify your mission-critical applications and data.
First, start with a SaaS data inventory assessment exercise. Which applications should you prioritize? Which apps hold the most important data and are used by the most people? What kinds of information are in these apps? You can’t protect what you don’t know you have.
But not all your SaaS apps are business-critical. Some applications and data are more valuable than others. What information supports strategic business processes, objectives, and functions at your organization? Gather stakeholders to determine what SaaS data, if exposed or lost, could result in:
- Loss of revenue/customers
- Financial or regulatory fines/penalties
- Harm to the company’s reputation, negative PR, or loss of consumer trust
- Loss of competitive advantage
- Business failure
2. Prioritize that data and create a data hierarchy.
What SaaS data needs very high protection and what doesn’t? Prioritization is a cross-team effort. You’ll need input from stakeholders (e.g., C-level executives, senior management, the board of directors, major shareholders and investors, the legal team, the data protection officer, the business units who own and interact with the data) to help classify and rank this data from most sensitive to least sensitive.
What data absolutely cannot end up in the wrong hands, be exposed, or be lost? What would you consider catastrophic? How would the data loss impact your organization’s productivity, revenue, and security requirements (and for how long)? How would the data loss impact your organization’s productivity, revenue, and security requirements (and for how long)?
This step will likely include having a cross-functional, strategic conversation on your cyber risk appetite.
Every business is willing to take on a different amount of risk to achieve regulatory and financial objectives. What’s an acceptable risk tolerance for your organization? Furthermore, how much are you willing to invest to manage that risk? This will help prioritize the risks.
What controls do you have in place (or want to put in place) to address SaaS application risks, and what’s an acceptable range of uncertainty related to those risks?
Your company will evolve and so will your cyber risk appetite. There will be shifts in operational risk and cyber risk. As such, determining your risk appetite shouldn’t be a “one and done” exercise. It’s a continual process and should be re-assessed often.
3. Create a policy framework that reflects your definition of trust.
Once you’ve prioritized your mission-critical SaaS apps and data, you’re in a good place to lay the foundation for your policy framework.
Review your current security architecture and identify any gaps and sources of vulnerabilities. As you develop your new policy framework, think about how it can fill those gaps and protect your most mission-critical SaaS data.
The questions below can provide guidance or help spark ideas as you shape your framework:
- How are you defining trust?
- Who are you considering a trusted vs. untrusted user?
- Given the data you’re protecting and your risk appetite, what interactions are you comfortable (and not comfortable) with your users having?
- What types of user interaction do you need the most visibility into (but don’t have today)?
- Which user interactions are the riskiest for your organization?
- What’s your most mission-critical data and who should access be limited to?
- How granular or sweeping do your policies need to be?
- What kinds of policies would have the biggest impact on increasing operational efficiency?
- Where is there room to automate operational processes?
- What strategic work could your team take on if more of your operational processes were automated?
- Is there currently a productivity/security tradeoff in your organization?
- What are the biggest operational security risks and non-compliance areas?
- What are your biggest organizational priorities right now?
- How do you anticipate your operational controls and measures will change based on where your company will be in six months, one year, and five years?
As you think through these questions, tie your responses back to your data hierarchy. With your definition of trust as your North Star, you can start establishing SaaSOps policies, guidelines, processes, and standards that align with company-wide organizational priorities.
Looking for more SaaSOps info? Check out www.bettercloud.com/saasops/ for in-depth webinars, books, success stories from SaaSOps practitioners, and more.
To learn more about how BetterCloud can help you manage and secure your SaaS applications, request a demo.