This article is excerpted from BetterCloud CEO David Politis’s new book, The IT Leader’s Guide to SaaSOps (Volume 2): How to Secure Your SaaS Applications. To learn more and get a copy, click here.
SaaS applications are a double-edged sword. They empower us to collaborate and communicate at scale, which is what makes SaaS so powerful, but at the same time, these very interactions can introduce new liabilities and formidable challenges into your environment.
As a result, SaaSOps calls for new operational controls and processes to protect SaaS data. To do that, you start by securing user interactions because:
- SaaS is the system of record. Today, organizations are trusting SaaS vendors to house mission-critical, irreplaceable data. When you’re storing sensitive information like PII, trade secrets, sales pipeline data, employee salary information, and tax documents in SaaS apps that employees are interacting with on a daily basis, it’s especially important to secure this activity.
- SaaS makes it easy to expose (or steal) data, as can already be seen in the news. SaaS apps have garnered publicity thanks to user interactions like the ones discussed previously. Misconfigured Google Groups, Box files, Google Calendars, Trello boards, and GitLab instances, as well as innocuous SaaS app integrations, have resulted in data exposure incidents. Here are just a few headlines:
These incidents were accidental, but intentional actions like trade secret theft have also made headlines. For example, Zynga sued two ex-employees in 2016, alleging that one of them had downloaded 10 Google Drive folders and taken over 14,000 files and approximately 26 GB of extremely sensitive, highly confidential Zynga information to a competitor. Similarly, in the Uber vs. Waymo trade secrets trial of 2018, a Google security engineer testified that an ex-employee had downloaded 14,107 files (9.74 GB) and exported several confidential and proprietary documents from Google Drive to a personal device before leaving the company.
- SaaS applications are creating a new generation of insider threats, where the biggest risk is from well-meaning but negligent end users. When it comes to insider threats, the biggest threat is not from splashy saboteurs seeking revenge; 62 percent of IT professionals believe that the biggest security threat actually comes from well-meaning but negligent end users. These are your ordinary employees. They are particularly dangerous because they have access to critical assets but lack the training or knowledge to keep sensitive information safe as they do their jobs. They may not understand the consequences of their interactions. For companies that are powered by SaaS apps, the negligent end user has even more freedom to unintentionally expose sensitive information. SaaS gives users extensive control and power, but to err is human. It’s extraordinarily easy to make a simple misconfiguration mistake, especially when presented with dozens of complex sharing settings across multiple apps.
That said, many IT professionals today are not securing user interactions effectively. On a recent webinar poll, we found out that 90 percent of IT professionals either felt their system to secure user interactions and activity within SaaS apps was insufficient or they didn’t have a system altogether.
SaaS data is not easy to secure. Specifically, 75 percent of IT professionals believe that cloud storage/file sharing and email are the biggest security challenges. Tackling SaaS security is difficult because SaaS is relatively new; not enough time has passed for official certifications or industry best practices to exist. There is no foundational level of knowledge yet, no ITIL for SaaS. In fact, 78 percent of IT professionals are just getting started managing SaaS apps or are still teaching themselves.
If you haven’t grappled with these challenges or their precursors already, you will at some point in your SaaS journey—it’s inevitable. But by going in-depth into user interactions—what they mean for IT, how to think about them, how to secure them—you can get a head start on protecting your SaaS data.
In our next blog post, we’ll discuss the three types of user interactions and why they’re important for SaaSOps security.
Looking for more SaaSOps info? Check out www.bettercloud.com/saasops/ for in-depth webinars, books, success stories from SaaSOps practitioners, and more.
To learn more about how BetterCloud can help you manage and secure your SaaS applications, request a demo.