Checks and Balances: 3 Tips for Securing SaaS Apps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud // Software as a Service
Commentary
6/14/2021
07:00 AM
Eric Kaasenbrood, CISO, Unit4
Eric Kaasenbrood, CISO, Unit4
Commentary
50%
50%

Checks and Balances: 3 Tips for Securing SaaS Apps

Software as a service users are bypassing on-premises IT security solutions. CISOs can lower enterprise risks using a modern security approach to enable business users while keeping data safe.

Credit: WrightStudio via Adobe Stock
Credit: WrightStudio via Adobe Stock

SaaS applications are proliferating, making up the largest cloud spending sector: Gartner predicts the segment will reach $122.6 billion this year. Many CISOs have adjusted their security approach to account for the growing adoption of SaaS solutions, but others are still playing catchup. Companies focused on on-premises or network-based security controls are at risk.  

Decentralized IT Requires Enterprise SaaS Security and Governance

Shadow IT isn’t a new problem, but the pandemic accelerated adoption of SaaS solutions that are accessed outside company boundaries. Many cloud providers support IP whitelisting solutions, but the increasing risk of employees making direct connections to the cloud and bypassing the office network underscores the need for security. In addition to the data security implications, insufficient security can also create compliance problems.

To address these issues, IT professionals should consider a checks and balances approach that uses a cloud-ready IT architecture, defines good governance practices, and acknowledges the shared responsibility with cloud providers. This enables business users to use the cloud in a safe and responsible way.

The following three tips can help CISOs support the business with more effective SaaS security:

1. Enable the business with a modern IT architecture. The first step is to review your risks and controls and move traditional security mechanisms from the on-premises company network to cloud-ready solutions. For example, endpoints should be well protected outside the company network using cloud-native solutions that help enforce critical security controls, including patch management, configuration management and endpoint protection.

Additionally, it is key to ensure secure access to SaaS solutions. Security functions like multifactor authentication, access management, federation and other checks and balances need to be in place before employees use cloud solutions.

Cybersecurity should be a business enablement function because employees need to connect to the cloud to maximize their efficiency. By moving security measures from local networks to the cloud, IT delivers significant business value.

2. Assemble a multidisciplinary team to define good governance. In the old days, IT was in charge of creating the IT environment. Now, business owners often start their own ecosystems and define their governance rules. CISOs can better protect their company's precious assets by assembling a team with expertise in information technology, security, legal, compliance and privacy (and other areas as appropriate) to define governance rules for the enterprise. The team can revise governance using a risk-based perspective, creating detailed policies describing the required checks and balances for authorizing new cloud solutions. Evaluate the current processes to see how the review of SaaS solutions can be best embedded (the review could be triggered by the central procurement department).

One thing to keep in mind is that SaaS providers standardize offers to appeal to a broad market and companies can use that to their advantage. In reviewing cloud providers, ask for security assurance documentation or certifications. Alternatively, consider using standard material, such as from the Cloud Security Alliance. It’s also a smart idea to elevate security awareness across the company, securing buy-in on the governance effort.   

3. Understand the shared responsibility model. It’s critical to understand exactly how security duties are segregated between the SaaS provider and the SaaS consumer so that nothing falls through the cracks. The underlying platform is typically managed by the SaaS provider whereas functions like user management, data and application configuration are the responsibility of the SaaS consumer.

SaaS Is Hot, So SaaS Security Is a Must

The right governance model and architecture will vary according to industry, compliance requirements, the company’s business strategy and other factors. The goal is to align IT’s strategy with the overarching business strategy, but in any governance framework, it’s crucial to clearly define the roles and responsibilities in ensuring SaaS security.

The business case for the cloud in general and SaaS solutions specifically is extremely strong, which is why demand is growing so quickly. For some CISOs, adapting to SaaS demand has been a challenge, especially given all the pressure of the last year with the shift to remote working. The good news is that SaaS companies have also matured, and when companies find the right vendor, the SaaS environment can provide a significant security upgrade and take some of the pressure off IT.

It’s important to keep in mind that security is a core component of IT’s business enablement mission. That’s why it’s so critical for CISOs who have relied on on-premises measures in the past to upgrade and modernize their security measures to align with new realities, which includes the widespread availability of SaaS solutions that business owners can obtain without IT oversight. With the right checks and balances in place, companies can ensure users have access to the tools they need and keep data secure.

Eric Kaasenbrood is the Chief Information Security Officer of Unit4, a global enterprise cloud application developer, with over 10 years of experience in information security.

 

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Commentary
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
News
How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Slideshows
Flash Poll