Imagine a company-wide exclusion from the company CRM, such as Salesforce, because the organization’s external administrator tries to disable MFA for itself. They don’t think about consulting the security team and don’t consider the security implications, just the convenience they need for their team to use their login.
However, this CRM defines MFA as a top-level security setting; For example, Salesforce has a “High Assurance Login Value” configuration and immediately excludes all users as a security measure. The whole organization grinds to a halt and is frustrated and confused.
Very worryingly, this is not a one-time event, administrators for mission-critical SaaS apps are often outside the security department and have deep control. Untrained and not focused on security measures, these administrators are working towards their departmental KPIs. For example, Hubspot is usually owned by the marketing department, and Salesforce is often also owned by the business department, etc. Business departments own these apps because it allows them to do their jobs efficiently. However, the paradox lies in the fact that it is the security team’s responsibility to secure the organization’s SaaS app stack and they cannot effectively perform this task without full control over the SaaS app.
The SaaS Security Survey 2022 ReportRun by CSA and Adaptive Shield, delves into the reality of this paradox, presenting data from today’s CISOs and security professionals. This article takes a look at key data points from the respondents and discusses what the solution could be for security teams.
SaaS apps in the hands of business departments
A typical organization uses a wide variety of SaaS apps (see Figure 1), from cloud data platforms, file sharing and collaboration apps, to CRM, project and work management, marketing automation, and much more. The need for each SaaS app fulfills a particular niche role required by the organization. Without the use of all these SaaS apps, a company could lag behind or take more time to achieve its KPIs.
The SaaS Security Survey 2022 Report reports that 40% of these apps are managed and owned by non-security teams such as sales, marketing, legal, etc. (see Figure 2). While the security and IT teams are said to be the primary destination for SaaS app management, it is the 40% of business departments that also participate and have full access that complicates the threat landscape.
Security teams cannot take away this ownership, as business application owners must maintain a high level of access to their relevant SaaS apps for optimal use. But without in-depth knowledge of security or vested interest (a security KPI that reflects their work product), it’s not reasonable for the security team to expect the business owner to ensure a high level of security in their SaaS.
Figure 2. Departments Managing SaaS Apps, SaaS Security Survey 2022 Report
Unpacking the SaaS App Ownership Paradox
When asked about the main reason for misconfiguration-induced security incidents (Figure 3), survey report respondents named these as the top four: (1) There are too many departments with access to security settings; (2) Lack of understanding of security settings when they are changed (3) Lack of knowledge of SaaS security; (4) Obfuscated User Rights. All of these reasons, overt or implied, can be attributed to the SaaS App Ownership Paradox.
The number one cause of security incidents caused by misconfigurations is that too many departments have access to security settings. This goes hand in hand with the following cause: lack of visibility when security changes are changed. A business department can make changes to an app setting to optimize usability without consulting or notifying the security department.
In addition, abused user permissions can easily be the result of a corporate department owner at the helm not paying close attention to app security. Often users are given privileged permissions that they don’t even need.
How security teams can regain control
With this shared responsibility model, the only efficient way to bridge this communication gap is a SaaS Security Posture Management (SSPM) platform. Hailed as a MUST HAVE solution to continuously assess security risks and manage the security posture of the SaaS applications in the “4 Must-Have Technologies That Made the Gartner Hype Cycle for Cloud Security, 2021”, such a solution can empower the security team on warn at any time. change of app configuration made by app owner and provide clear instructions on how to fix it through ticketing or collaboration management system.
With an SSPM solution, owned and managed by the organization’s security team, the security team can gain complete visibility into all of the company’s SaaS apps and their security settings, including user roles and permissions. W
Organizations can go one step further and let the app owners participate in the SSPM platform so that they can actively monitor and oversee all configurations in their own apps. Using a scoped admin capability (Figure 4), the security team can grant app owners access to the apps they own and fix security vulnerabilities, under their supervision and direction.
There is no way to exclude corporate departments from accessing SaaS app security settings, and while users across the organization should be trained in basic SaaS security to reduce the risk that can be encountered by corporate departments, this doesn’t always happen or it’s just not enough. Organizations must implement a solution that helps prevent these situations by enabling visibility and control for the security team, alerting for configuration anomalies, audit logs that provide insight into actions within the SaaS apps, and scoped admins.