A Complete Best Practices Guide
Editor’s Note: This article was updated to include more recent data and new functionality from the SMP marketplace.
SaaS usage has exploded since the beginning of 2020, but with all the collaborative benefits software-as-a-service (SaaS) and cloud services present, new challenges abound. IT professionals must adapt to threats like unsanctioned apps, data loss, and insider threats.
In today’s cloud-first, work-from-anywhere environment, employees are increasingly likely to access sensitive materials outside company headquarters—which means that SaaS data security is one of the top priorities for IT teams of all sizes. While this is a daunting challenge, a zero-touch IT mindset can ensure SaaS security while also freeing up IT to become a strategic part of the business.
I know what you’re thinking. What is zero-touch IT? As we recently wrote, a zero-touch approach aims to remove every manual touchpoint to orchestrate entire IT processes. SaaS enables seamless collaboration between users, both within and outside the organization, and this modern IT approach assures granular access can be secured without sacrificing productivity or security.
This guide contains an exhaustive overview of some of the best SaaS security best practices, and how a zero-touch IT mindset can enable them.
The Unique Challenges of SaaS Security
The four biggest security challenges created by SaaS are:
- File security
- Insider threats
- Gaining visibility into your SaaS environment
- Enforcing least privilege access policies
Let’s explore each in further detail.
1. File security
Before we dig into the long-term benefits of automated IT, the foundations of SaaS security bear repeating.
SaaS is here to stay. We’re all working in the cloud, and that means our sensitive data is everywhere. Credit card numbers, passwords, intellectual property, confidential customer data…the list goes on and on.
SaaS apps are empowering to users because they make it easy to share files with collaborators within the company, and more worrying, outside your organization. Users can configure file-sharing permissions on their own. Unsurprisingly, this can lead to unwanted issues like compliance violations and data breaches. A user might share a file publicly because it makes collaboration easier, not realizing that the file may now be indexed by Google in real-time, and therefore available to the public. Keeping track of these sensitive file exchanges is not easy, at least not with traditional IT security methods.
No one wants to send out press releases about data breaches that happened under their watch. Huge SaaS vendors like Microsoft, HubSpot, and Okta have all been victimized by SaaS cyber attacks in 2022. All this goes to show how important it is to be aware of what choices your users are making within apps. This necessitates automated alerts to risky configurations and automated remedies.
2. The risk of insider threats to your SaaS security
According to BetterCloud’s 2021 State of SaaSOps study, an overwhelming 72% of IT professionals believe that well-meaning, yet negligent employees pose the biggest data loss threats. In contrast, far fewer people feel the biggest threat is from malicious employees (20%) or hackers (8%). Maybe it’s allowing an outside contractor onto the company Slack account. Maybe it’s sharing something via Dropbox over an unsecured network. Employees should be schooled in SaaS security best practices – that much is clear – but it’s at the IT level where these measures need to take root.
3. Gaining visibility into your SaaS environment
Once you take a peek under the hood of your company’s SaaS engine, there’s a good chance you’ll be shocked by what you find. When the pandemic hit during the first quarter of 2020, companies quickly amassed SaaS apps for remote work, thinking they’d only need them for a few weeks. As we all know, that “few weeks” evolved into a lasting reality, and those SaaS applications – even the forgotten ones! – are most likely still there, and perhaps compromised over time. More than half (55%) of respondents in BetterCloud’s 2021 State of SaaSOps study said their biggest challenge was a lack of visibility into user activity and data.
Since these unsanctioned apps can’t be seen by IT teams, it’s virtually impossible to secure and manage them properly. This can make them quite risky. Proper SaaSOps process and solutions can keep track of how these apps are being used, their permissions, and their data read/write authorizations.
4. The challenge of enforcing least privilege access policies
The more access an admin has within your infrastructure, the more they put you at risk if their account becomes compromised. Hence, the importance of least privilege access, or in layman’s terms, granting users the minimum permissions needed to perform their roles.
It sounds simple, but the terms for certain admin roles and distribution lists often vary from app to app, making least privilege access difficult to discern. Some apps simply don’t allow a great deal of variation from admin to admin. However, better SaaS management platforms (SMPs) allow IT teams to be much more exact with the access they grant. Using BetterCloud as an SMP, a typical customer in 2021 was able to implement a least privilege access model that reduced the number of users with super admin access from 15 to 3.
Why do all these SaaS security challenges exist?
It has a lot to do with that paradigm shift that occurred in early 2020. The old IT model employed the so-called “castle and moat” approach – the “moat” protecting company infrastructure from outside unknowns. But with the advent of SaaS, that moat disappeared, since employees had the ability to easily share sensitive data outside the company, often over unsecured networks such as home Wi-Fi. Today, effective IT can’t just control the perimeter; its watchful eye must permeate all apps and interactions within the public cloud.
Related: A Zero Trust security model can help protect your SaaS environment.
To learn more, download our whitepaper: A Guide to Effective SaaS Management Using a Zero Trust Security Model
Now, let’s examine some other kinds of SaaSOps tools and best practices for SaaS security.
Understanding the types of SaaS security software options available to you:
1. Identity and access management (IAM)
As the expectations of a good IT department shifted post-2020, Identity and Access Management (IAM) emerged as a strong option for automating security in cloud-based work settings. IAM allows IT to control user access to sensitive information within a company on a fully automated basis. The automation factor is a key difference from manual, mistake-prone legacy options; IAM is more secure and allows admins to fine-tune those all-important privilege settings on who gets access to what.
With IAM, companies can use authentication methods such as:
- Unique passwords: lengthy passwords that include randomized letters, symbols, and numbers
- Pre-shared key: passwords shared among users with access to the same materials (not as secure as individual, unique passwords)
- Behavioral identification: artificial intelligence that analyzes a user’s human idiosyncrasies, such as typing and mouse-use habits
- Biometrics: fingerprints, faces, voices, etc. are used to authenticate users (given the highly personal nature of this data, an implementation should be considered very carefully)
2. What is a CASB?
CASBs (short for cloud access security brokers) are another SaaS security software option. According to Gartner, CASBs are on-premises, or cloud-based security policy enforcement points. They stand between cloud service consumers and cloud service providers to combine and add enterprise security policies as cloud-based resources are accessed.
CASBs are employed in a wide range of cloud computing services, including PaaS, IaaS, and of course, SaaS, where they’re used for data security, asset encryption, inline blocking of shared assets, and network security.
3. What role does a CASB play in SaaS security?
It’s useful to compare CASBs to SMPs since they both enforce SaaS security in different ways. The role of CASBs extends well beyond SaaS, and unlike SaaS-focused SMPs, their response to a security threat tends to be less nuanced. Admins using CASBs can set triggers (such as when a new user appears on the network), but lacking the granularity of SMPs, CASBs are prone to over-enforcing these triggers and bringing workflow to a halt. SMPs, however, offer smarter, workflow-friendly solutions without sacrificing security measures.
The need for a flexible SaaS security solution
Every company is different, so it’s up to IT and security teams to implement a SaaS security program that makes sense for the company’s day-to-day needs. What triggers should your security platforms be on alert for? What actions will those triggers activate, and how will relevant team members be notified? Zero-touch IT and automation have facilitated all this immensely, but it’s up to IT to use those tools to build a security threat game plan. Additionally, data encryption and two-factor authentication (e.g., entering your password and then receiving an additional access code via your mobile device) are increasingly common methods to protect data. And all employees should be trained in the basics of data encryption and data security, such as how to recognize a phishing email.
Regardless of where you’re at, adopting zero-touch IT will optimize reaching the goals we’ve outlined in this guide. Start by keeping track of what issues are most frequently leading to tickets – these are the issues you’ll want to prioritize automating once you’ve got the hang of things. In the meantime, tools like BetterCloud Manage – with no advanced scripting or programming required – can make tasks like employee onboarding/offboarding zero-touch right away for IT and security teams. From there, you can move to automate additional SaaS priorities, which we’ll reiterate below.
Best practices: SaaS security checklist
Maintain a secure infrastructure:
- Establish your organization’s culture and risk tolerance
- Implement IAM/IDaaS to facilitate access and authentication to all SaaS apps and minimize friction for end users
- Ensure your data is always encrypted
- Implement two-factor identification (2FA)
- Train users on SaaS security, including identifying phishing attacks and the importance of 2FA
- Create an incident response plan
- Implement SaaS management in conjunction with traditional security services
- Build dynamic Data Loss Prevention (DLP) policies to protect sensitive data from being lost, misused, or accessed by unauthorized users
- Build customizable workflows so responses are in accordance with your security policies and guidelines
Proactively secure data by monitoring for:
- Exposure of sensitive information such as PII, PHI, passwords, and encryption keys (either publicly or externally shared)
- Corporate emails that are automatically forwarded to a personal email account (e.g., Gmail, Yahoo)
- Users who should no longer have access to specific files, folders, calendars, etc. (e.g., consultants, interns, or employees who’ve switched teams)
- Suspicious activity related to data theft, like unusually large file downloads within a short time period
- Sensitive files being shared with a competitor
- Email forwarding from specific users to email addresses outside your domain
- Specific file types being publicly or externally shared (e.g., spreadsheets and PDFs are more likely to contain sensitive information)
- Sensitive folder paths, like accounting or finance, being publicly or externally shared
- Choices users are making in apps, such as making public cloud databases
Gain visibility and control:
- Enforce least privilege with granular access control
- Remain aware of all apps running on the corporate network, sanctioned or unsanctioned, and eliminate blind spots
- Identify tools that authenticate using your domain
- Audit permissions that employees grant to unauthorized SaaS
- Compare permissions to your established data governance that defines who within an organization has authority and control over data assets and how those data assets may be used
- Secure user interactions inside of SaaS apps
- Continuously monitor for policy violations and remediate them if any are detected
A few final thoughts
SaaS data security is a tricky challenge for even the most experienced IT professionals – just look at how much has changed in the past two years! But by using the SaaS security best practices in this guide, coupled with an SMP/zero-touch IT approach, you can secure your organization for years to come. Now is the time to transform your technology team from ticket-takers to strategic leaders of your business!