Security News

Gartner forecasts a 16.8% growth for SaaS in 2023 as companies - including SMBs - add new SaaS platforms to their IT stack. Too often we find SMBs think security is all in the hands of the SaaS provider, when in fact the SaaS customer is always responsible for their data and their users.

While zero trust can be an effective approach to security, it can also present some challenges, particularly when it comes to implementing it for software as a service due to the fast pace of its adoption, distributed ownership of SaaS applications across organizations, and the shared responsibility model between a SaaS vendor and a customer. The traditional approach to SaaS security challenges has been to use a cloud access security broker and/or identity provider to manage access to SaaS applications.

Today, most security and IT teams understand the shared responsibility model, in which the SaaS vendor is responsible for securing the application, while the organization is responsible for securing their data. SaaS data breaches and SaaS ransomware attacks can lead to the loss or public exposure of that data.

Wing Security recently announced that it is making its SaaS application discovery engine available as a free, self-service product. The risks associated with SaaS Shadow IT have become more prevalent in recent years due to the widespread use of SaaS within organizations.

The move to SaaS and other cloud tools has put an emphasis on Identity & Access Management. The scope of identity fabric includes any human, machine, or application that is granted access to your applications and data.

The attack ended when security teams were able to terminate user access, although data which had already been downloaded remained in the threat actor's hands. SaaS user permissions allow app owners to limit a user's resources and actions based on the user's role.

SaaS applications are often multi-tenanted, so your applications need to be secure against attacks where one customer could access the data of another customer, such as logic flaws, injection flaws, or access control weaknesses. Security testing with an automated vulnerability scanner in combination with regular pentesting can help you design and build secure web applications by integrating with your existing environment, catching vulnerabilities as they're introduced throughout the development cycle.

Security teams should onboard a SaaS Security Posture Management solution, like Adaptive Shield, that provides full visibility and control across a critical mass of SaaS apps in the SaaS stack. Security teams should be able to use the solution to gain context into security alerts and gain answers to questions like: Which users are subject to a certain misconfiguration? Are they admins? Is their MFA enabled? By having these answers at their fingertips, security teams can enforce company and industry policies to remediate potential risks from any misconfiguration.

In this Help Net Security video, Uri Haramati, CEO at Torii, talks about how it's impossible for IT to take full ownership or responsibility for managing cloud apps today. Instead, SaaS management is a team sport-but not all the players know they're on a team.

Every SaaS app user and login is a potential threat; whether it's bad actors or potential disgruntled former associates, identity management and access control is crucial to prevent unwanted or mistaken entrances to the organization's data and systems. Identity and Access Management solutions administer user identities and control access to enterprise resources and applications.