Security News > 2022 > June > Saas security: How to avoid “death by 1000 apps”
SaaS applications have become synonymous with modern business environments, and CISOs and security teams struggle to find a happy medium between ensuring the security of their SaaS portfolio and empowering the organization's streamlined business workflows and productivity.
In recent conversations with leading CISOs in the global market, including Frank Kim, fellow and former CSO at the SANS Institute; Sounil Yu, CSO at JupiterOne; Ray Espinoza, VP Cloud Security at Medallia; Leon Ravenna, CISO at KAR Global; Alex Manea, CISO at Georgian and Tim Fitzgerald, CISO at Arm, we took a deep dive into the CISO perspective on SaaS challenges, security pitfalls, actionable tips for successful SaaS management and to avoid the dreaded "Death by 1000 apps."
Manea describes the risk as "Death by 1000 cuts, or death by 1000 apps, as the case may be," and this is amplified by the speed at which these apps are adopted.
The CISOs I spoke with described these pitfalls in organizational SaaS security programs as gaps that, in hindsight, security teams should have avoided.
"One of the most critical lessons we learned was to know where your data is flowing and what your SaaS apps are integrating with." Once security teams have a general understanding of what their SaaS portfolio looks like, Sounil Yu suggests that security controls for onboarding new apps should be applied in direct context to the size and stage of the organization.
"The right timing for switching from a free-for-all policy to a more controlled approach is an important decision. Placing tight controls over SaaS security may be a hindrance to the growth of a young startup when core teams are built and applications are onboarded with every new team. As the company stabilizes and the CISO has a good grasp of the SaaS portfolio, only then should they begin tightening restrictions."
News URL
https://www.helpnetsecurity.com/2022/06/14/saas-applications-security/