This article is excerpted from BetterCloud CEO David Politis’s new book, The IT Leader’s Guide to SaaSOps (Volume 2): How to Secure Your SaaS Applications. To learn more and get a copy, click here.
Your users have hundreds, if not thousands, of interactions on any given day to get work done. In aggregate, your company likely has tens of millions of interactions. Broadly speaking, there are three categories of interactions:
1) Interactions with your own data
One type of interaction is between you and your own data. Now, to be clear, it’s not really “your” data. You don’t own it; the company does. But for example, this type of data might mean your own email or your Chrome extensions that you installed. It might mean a private file in Box that you haven’t shared with anyone else and that only you can access.
2) Interactions with trusted users
Another type of interaction is between you and a trusted user. Trusted users are people who should have the access that they do. Their access is sanctioned.
Trusted users have authorized access to the right data at the right time. But who, exactly, qualifies as a trusted user? That’s not so cut and dried. Defining a trusted user is a nuanced challenge because it really depends on your company.
Let’s take a look at this statement:
Everyone inside my org is a trusted user.
For some companies, this statement may be true. Others may disagree. For example, if an engineer has access to confidential financial data that they shouldn’t be privy to, would you still consider them a trusted user? Or if two departments in a financial institution were supposed to be divided by a “Chinese Wall” but could access each other’s data, would you still consider them trusted users? Or what if all employees were able to read the messages in the HR distribution list? Would you still consider them trusted users?
Now let’s take a look at the inverse of that statement:
Everyone outside my org is an untrusted user.
Again, for some companies, this statement may be true. You might not want your employees to collaborate with anyone outside your company. But other companies may disagree. If your employees are collaborating with external users like partners, resellers, contractors, clients, or board members on projects, then you might consider certain people outside of your organization to be trusted users.
Here’s where it gets murky: Let’s say your services team shares a SoW with a partner. On the surface, that partner is a trusted user. But what if that SoW contains confidential pricing information that the partner shouldn’t be seeing? Would you still consider them a trusted user?
Or take another example: Your marketing manager invites an outside PR contractor to join the #marketing Slack channel. At first glance, the contractor is a trusted user. But who else is in that Slack channel? What else is being discussed, and what kinds of documents are being shared in it? Do you still consider them a trusted user? What about when their contract ends? That’s where the line gets blurry.
In these examples, there is no right or wrong answer. It really depends on how you and your organization define trust—specifically, who you feel comfortable trusting and what kind of data you feel comfortable trusting them with.
3) Interactions with untrusted users
Classifying untrusted users is much more straightforward. An untrusted user is someone who unequivocally should not have access to your data.
Some examples of interactions with untrusted users include:
- A strategy exec shares proprietary research with a competitor
- An HR manager shares a file containing employee Social Security numbers and salaries with an ex-employee
- A junior IT admin is given super admin rights across all SaaS apps
Untrusted users are a security risk. Interactions like these can result in unauthorized access to sensitive data, excess admin privileges, compliance violations and fines, data breaches, loss of IP or trade secrets, loss of revenue, negative PR, loss of consumer trust, and more.
In our next blog post, we’ll discuss how the sprawl of interactions can quickly spiral out of control.
Looking for more SaaSOps info? Check out www.bettercloud.com/saasops/ for in-depth webinars, books, success stories from SaaSOps practitioners, and more.
To learn more about how BetterCloud can help you manage and secure your SaaS applications, request a demo.