In the traditional IT environment, data and applications were housed in on-premises datacenters, and IT system administrators were also company employees. But the shift toward subscription-based services under a SaaS model has been underway for years. Several years ago, a Gartner researcher predicted that by 2020, all new market entrants and 80% of legacy providers would offer products on a SaaS basis.   

Customer enthusiasm for SaaS is high because it reduces or eliminates in-house maintenance costs. The pandemic underscored another benefit: business continuity. TechCrunch reported that sales have soared at SaaS companies during the COVID-19 crisis. Revenue at Zoom increased by nearly 170% year-over-year as people used the platform to replicate in-person meetings and training sessions.

But at many businesses, the company security posture hasn’t kept pace with the volume of data flowing to and from multiple SaaS vendors. It’s an urgent issue in an environment where endpoints are proliferating and hacking techniques are getting more sophisticated. That’s why it’s never been more urgent to upgrade the security posture and reduce the risks associated with SaaS solutions.

Starting with the security architecture

The adoption of SaaS also requires rethinking your overall Security Architecture. Many cloud providers support whitelisting solutions to enable their customers’ employees to access the SaaS solution via their office network (to enforce security measures). But it’s increasingly common for employees to bypass the office network and use direct connections to the cloud solutions they use. They may not log into to the office network at all, so IT has to ensure that endpoints are secure even when they’re not connected to the network.

Cloud native solutions can help enforce critical controls like patch management, configuration management and endpoint protection also when end-user devices are not linked to the office network. Furthermore, the architecture should also consider a strategy for BYOD security. A modern security architecture should include cloud-based identity and access management solutions like multifactor authentication and federation with your SaaS applications. Also review the requirements to integrate logs with your SIEM solution and the use of Cloud Access Security Brokers. A strong architectural setup can help to enforce security policies while meeting business requirements.

Meeting governance needs in a SaaS environment

Businesses and individuals can activate SaaS applications with a single click, which presents the “Shadow IT” challenge: the application may not have been reviewed or vetted internally to ensure it conforms with company policies. There are many risks associated with unvetted SaaS solutions, including data ownership, information security risks and potential regulatory compliance issues.

A proactive governance approach requires a defined process that ensures visibility and directly addresses risks to keep exposure within acceptable levels. A multidisciplinary strategy that includes people with expertise in the business, IT architecture, procurement, legal, privacy and IT risk/security is the best way to ensure sound governance.

One of the first steps is to classify data in terms of confidentiality, integrity and availability. To find the right balance between costs and security; measures should reflect the criticality of the data being protected.

Additionally, it’s important to understand that cloud and SaaS providers have a shared responsibility to keep data safe and to understand exactly what the company will manage vs. what the SaaS vendor will oversee. To make sure nothing falls through the cracks, typically SaaS providers manage components like applications, virtual machines, databases, datacenters, etc., (the largest portion of the stack) while the company manages components like user access to the application (joiners, leavers, changers, roles, segregation of duties, etc.), end user devices, and data.

Depending on the SaaS provider, there may be multiple configuration options, like password settings or identity federations, and authorization models. Some SaaS providers offer different availability plans to meet recovery time objective and recovery point objective. The company should manage this as well to ensure these are configured in line with their requirements and risk apatite.

Evaluating SaaS vendors

The key to effectively assessing SaaS vendors is to keep in mind that they provide standard services to customers. That means a vendor might not meet every company’s detailed security requirement, but that can be difficult to assess on a point-by-point basis. The best approach is to evaluate the vendor at a higher level, looking at how their security measures meet your overall security goals and risk appetite. This should not be a one-time action but requires reevaluation on a periodic basis as both the threat landscape and cloud services will change over time.

There are different ways to gain insight in the security levels of a (SaaS) vendor, some examples are:  

• Security certifications like ISO 27001 and SOC1/SOC2 assurance reports can be helpful in assessing SaaS security. Those reports are prepared by an independent auditor.  
• Security questionnaires can be used to query information. It is recommended to use standard terminology to reduce the possibility of a misunderstanding. Documentation of the  Cloud Security Alliance can help in this.
• Security tests provide insight in potential (technical) security weaknesses. Some vendors share the results of their own security tests or allow customers to perform penetration tests; this provides a better understanding of vendor security practices.

Also keep in mind that many SaaS applications are built on top of other cloud providers, like Microsoft Azure, AWS, Google Cloud, etc. This has a benefit as the SaaS provider can leverage the security mechanisms of the underlying cloud provider. However, it’s good to have an understanding of how the security is maintained in this chain.

The previous points are mainly about the security of the vendor; in addition, a vendor should provide sufficient capabilities for you to securely consume the service this includes the ability to define user roles, segregation of duties, identity federations or password settings. It’s also important to be able to conduct secure system-to-system integrations when necessary and to ensure compliance with any limitations on data location.

Also make sure that the company and vendor have up to date contact information so they can communicate in an urgent situation, such as a data breach. Security requirements should be documented in the contract — this is mandatory for companies that are required to comply with GDPR.

Ensuring safe SaaS operations

There’s no going back to a time when the in-house IT team controlled all of the data onsite. SaaS solutions are expanding capabilities and lowering costs. That’s why all of the momentum is toward an accelerated adoption of SaaS solutions. But the company still has an obligation to ensure that the business is protecting data that moves through SaaS solutions.

That’s why it’s so important for a multidisciplinary team to evaluate SaaS solutions and make a decision in line with company governance needs. By taking new realities into account and modernizing the approach to security, businesses can get all the benefits of SaaS applications while ensuring that they operate safely within that environment.