BUSINESSES’ USE of software-as-a-service applications is shadow IT on steroids. Take the case of the chief information security officer of an insurance company who enlisted security expert Jayson Ferron to help with an operating system migration. Ferron, CISO/CEO of Interactive Security Training, asked the client CISO, “Do you use the cloud? And he said, ‘Absolutely not; we’re an insurance company, we don't trust the cloud.’ Come to find out, there were 50,000 users using Salesforce.com that the CISO didn't know about because the business was expensing it.”
Indeed, it’s so easy to sign up for a SaaS application that “your employees now have the power of SaaS in their hands,” agrees Jerald Dawkins, CTO of Cerberus Sentinel, an MSSP headquartered in Scottsdale, Ariz. And if it’s a free service, they don’t even need to get permission from accounting, he adds. The problem? “They're pushing corporate data to this free service on a vendor that you don't know about, a service that you don't know about.”
According to research from security vendor Axonius focused on SaaS usage, 74% of businesses have more than half of their applications in the cloud, and 66% are spending more on SaaS applications now than a year ago. However, most organizations said SaaS security lagged in urgency and priority. Of those surveyed, 60% ranked SaaS security fourth or lower on their list of current security priorities, pointing to limited time and resources (28%), pressure to focus on other issues from the C-Suite (23%), and staffing shortages (15%).
Securing SaaS applications is “a different beast” for MSPs accustomed to securing networks and endpoints, says Lawrence Cruciana, president of Corporate Information Technologies, an MSP in Charlotte, N.C. According to a recent ChannelPro reader survey, roughly half (48%) of respondents believe that securing SaaS applications is more difficult than securing the network and endpoints. Moreover, in the Axonius research, 66% of organizations agreed that the increase in SaaS applications has resulted in more complexity and increased security risk in their organizations.
“The inherent nature of those platforms [is] they're always on, always connected, always [in an] exposed state,” Cruciana explains. While SaaS brings great business value, he says, it also brings “equally great areas of exposure. In many instances, the MSP isn't always in control of the introduction of new features or new products or new configuration items, or even the default configuration.”
A Shift in Focus
Andras Cser, vice president and principal analyst at Forrester, points to four main challenges with SaaS security:
- Constant change in SaaS platforms' capabilities and consequently security policy setup
- Varying, complex definitions of zero trust/least privilege across SaaS platforms
- The breadth of SaaS offerings
- Ties to data that mix SaaS security with data protection
While the fundamentals of the MSP’s job remain the same—working with the right vendor, securing the data, configuring the platform, and managing and supporting the customer’s environment—SaaS security is a shift in focus, Dawkins says. “It changes the conversation from being one that's very technical, and talking about hardware and perimeter security, and [turns] it to being one of risk management.” That encompasses vendor management to ensure they have the proper cybersecurity controls to protect your customer’s data.