Taming SaaS Security Challenges with the Zero Trust Security Model
November 28, 2018
4 minute read
For more expert guidance and tips on Zero Trust, click here to read our whitepaper: A Guide to Effective SaaS Management Using a Zero Trust Security Model.
Today, the new reality is that network-based security is no longer adequate.
With an increasingly mobile workforce and the spread of shadow IT, plus the rapid rise of cybercrime, companies must find new ways to effectively manage their sprawling SaaS portfolio. They must also seek the ability to offer their core businesses as microservices securely and seamlessly.
Now, that’s a mouthful. Let me elaborate.
Right now, SaaS is creating dozens of challenges (and opportunities) for IT
Cloud and SaaS sprawl
The rise of the cloud and SaaS has given companies access to an unprecedented volume of IT resources never before possible. This can boost corporate productivity tremendously, but it also introduces new IT security challenges beyond the corporate firewalls. Enterprise companies use over 1,000 cloud applications on average and that number is growing.
Shadow (stealth) IT
Corporate IT can no longer control their IT environment. Business functions are choosing to procure and use many SaaS applications without the knowledge or permission of IT. This phenomenon, known as shadow (or stealth) IT, is significantly increasing the risk of data breaches and security incidents. Corporate IT has no choice but to get ahead of this by becoming a business enabler, not an inhibitor.
The rapid obsolescence of network-based security architecture
The current network-based security architecture is no longer adequate due to the rise of the mobile workforce and the rapidly growing number of applications in the cloud. Once the security perimeter is breached through various forms of cyberattacks (like phishing, malware, or compromised passwords), a threat actor can move freely across other security layers and systems, where data can be compromised.
Cybercrime is on the rise
Cybercrime damage costs will hit $6 trillion annually through 2021, which is expected to be the greatest transfer of economic wealth ever. Cybercriminals are targeting more people too: An estimated 6 billion people will be internet users by 2022, up from 3.8 billion people in 2017. Hackers continue to use any means possible to hack into systems and data, including critical SaaS applications such as HRIS, ERP, CRM, productivity suites, and data repositories.
The popularity of microservices
Microservices have gained immense popularity in the last few years. With demonstrable success from Netflix and AWS, more companies are starting to offer their core businesses as microservices to expand their customer and revenue base. That means old and new companies must find a secure and seamless way to expose these services to their customers and partners. Many of these microservices are available as SaaS offerings through publicly supported APIs. Companies can simply subscribe to these services instead of building them from the ground up. (For example, see: Uber’s use of Twilio’s communications services to send and receive messages, or MGM’s use of Okta’s identity and access management (IAM) services to manage a seamless customer access and experience across various MGM properties.)
So how does IT address all of this?
You might ask how companies are addressing the amalgamation of challenges and opportunities presented by all of this. Though we are still in the early phases of innovation, there are proven methods for achieving a higher degree of maturity for managing sprawling applications in the cloud.
- A proactive cyber defense posture is a must. Companies must proactively strategize, plan, and execute cyber defense. They must continue to invest in cybersecurity tools and technologies, increase their cybersecurity expertise, and retain cybersecurity talent who can stand up impenetrable cyber defense. That means revisiting your cyber defense strategy and standing up new security architecture.
- Companies need to invest in a new security architecture. The new security architecture must be flexible in accommodating a global mobile workforce that accesses a growing number of applications in the cloud using many types of devices, from anywhere, at any time. Various factors such as users, devices, data, applications, and networks are included in the scope for the new security architecture.
- The solution must be secure and seamless. Despite security threats, companies must find a secure and seamless solution that will enhance their customers’ experience, improve their employees’ productivity and ease of use, and simplify collaboration with their partners.
Hello, Zero Trust
The world is rapidly changing.
Apps have moved to the cloud and users are accessing them from anywhere, any time, on multiple devices. Despite that, the way enterprises secure access to applications has remained largely unchanged — they are still dependent on the corporate network perimeter.
The new reality, however, is that people are the perimeter.
Companies must ensure that as they embark on the cloud transformation journey, their applications remain secure. To do this, they should readdress security and consider a Zero Trust security model.
The best way to architect and implement a new security framework is start with “no trust but verify” model. In other words, every service request made by any user or machine is properly authenticated, authorized, and encrypted end to end. The model has been promoted by Forrester as “Zero Trust” since as early as 2010 and has also been adopted by Google as “BeyondCorp.”
Inspired by this, companies have started exploring this model and many are already on their way to implementing it. Adopting the model is a journey of its own that requires careful strategic, tactical, and operational planning.
In part two of this series, I’ll dig deeper into some best practices to implement when rolling out Zero Trust.