The Expert View: Achieving SaaS Security Excellence

While security tools have evolved to address critical threats in traditional IT environments, many of them struggle to fully address the complexities of a SaaS landscape, said Adam Gavish, chief executive of DoControl, opening a TEISS virtual briefing.

He told attendees, including senior security experts from a range of companies, that securing SaaS applications is far more nuanced than simply applying traditional tools. A fundamental issue is that many are not designed for the APIs or the underlying data models driving SaaS applications.

This makes it difficult to accurately assess the threat landscape within a SaaS environment.

Policy challenges 

 
In essence, said one attendee, working with SaaS applications is like managing multiple operating systems. A single tool can’t secure the entire system. SaaS applications often require specific measures for things like document permissions, access to applications, and even the links shared across platforms like collaboration or chat tools.

As a result, organisations are finding it difficult to enforce granular security policies for the varied and dynamic nature of SaaS platforms. Without a deep understanding of the SaaS environment, it’s difficult to tailor policies effectively, leaving gaps in the security framework.

Another issue raised by those at the briefing is the degradation of access control over time. As new users are added and others leave, the complexity of managing permissions grows. Often, access is granted initially but not reviewed or revoked when no longer needed. Automating access revocation after a set period can help, but many SaaS platforms do not support this out of the box.

Data ownership issues compound these challenges, attendees said. When an employee leaves the organisation, their permissions and ownership of critical data are often transferred to their manager by default. This creates a massive burden, with large volumes of data being inherited, often without proper review. This can lead to unchecked data sprawl and potential vulnerabilities.

Data management

Permissions must be finely tuned, one attendee argued, with access granted only to those who need it. Users with more control or access to sensitive areas of the system should undergo more rigorous security training. If those with the highest privileges understand the implications of their actions, organisations can reduce the risk of security breaches.

In addition to setting clear permission levels, continuous penetration testing, and end-to-end assessments are essential. This allows organisations to regularly reassess their security posture and adjust it as necessary.

Furthermore, evaluating the criticality of the data within the SaaS environment is paramount. Not all data is created equal—some is highly sensitive, while other data may be of minimal importance. By categorising data and applying the appropriate level of security, organisations can focus their efforts on protecting the most critical assets.

Organisations should conduct thorough due diligence on their SaaS providers, assessing not only the functionality of the platform but also its security protocols. Data risk should be a central focus of this assessment, some at the briefing argued. Highly sensitive data requires rigorous protection, while other data may be less critical. Security controls should be designed to reflect this distinction.

AI risk 

 
While many SaaS applications offer built-in security features like two-factor authentication (2FA), these alone are not sufficient to protect the data being processed and stored. Important questions about where data resides, how it is shared, and who has access must be answered before an organisation can claim to have a secure SaaS environment.

Another issue is data retention and archiving. Systems accumulate large amounts of data over time, much of which may no longer be needed. However, if not managed correctly, this can create significant vulnerabilities. Organisations should ensure that critical systems have designated data owners responsible for managing the lifecycle of this information, including proper archiving and eventual deletion.

The growing integration of artificial intelligence (AI) into SaaS applications introduces both opportunities and risks, said attendees. Many SaaS platforms are deploying AI features that may radically change what the application is capable of - and which companies have not vetted. In cases where AI is automatically deployed, it can introduce unforeseen security gaps.

Securing SaaS applications is a complex task that requires a combination of advanced tools, continuous monitoring, and thoughtful policies. Attendees agreed that organisations must address specific challenges, from managing permissions and data ownership to integrating AI and conducting thorough due diligence on suppliers, to protect their most valuable data assets and reduce the risk of security breaches in an increasingly SaaS-driven world.

To find out more visit DoControl.io.