Security Guidance
5 minutes

The Growth of SaaS Security: An Astrophysical Perspective

Introduction

In the past decade, the seismic shift in business processes brought on by the explosion of SaaS platforms has been palpable. Accelerated by the pandemic and the consequential mandatory work-from-home protocols, businesses and their security teams are constantly grappling with an ever-evolving digital landscape.

As an astrophysicist with a penchant for all things space (a certified space nerd), my perspective is often skewed toward the cosmic realm. Being a part of Obsidian for half a decade has given me a front-row seat to witness the growth of SaaS and the evolution of security measures to counter the growing challenges.

Drawing Parallels: SaaS Security & The Solar System

Ever thought about the similarities between the observed formation of the solar system and SaaS security? To fully appreciate the analogy, let’s take a moment to understand the theory of how our solar system came into existence:

  1. It started with a vast plane of gas and dust.
  2. Proto-planets began to form, accreting all the gas and dust.
  3. These proto-planets eventually matured into full-size planets, clearing out most of the orbital plane.
  4. Presently, celestial bodies occasionally emerge from the Oort cloud, a massive pool of objects lying beyond the solar system. Sometimes, they’re captured, and at other times, they’re expelled.

Isn’t SaaS somewhat similar? The analogy becomes clear if we imagine the gas and dust as employees and their tech choices. Take Atlassian, for example, which promotes individual teams buying their products via credit cards, aiming to amalgamate them into a single Atlassian instance. This reflects how most SaaS platforms grow – not always as a deliberate corporate choice but as a result of shared usage throughout the organization.

Understanding the SaaS Universe: Terraforming Planets

Our ultimate goal with SaaS security is akin to terraforming inner planets – making them safe and habitable. This means implementing a robust security program, ensuring secure configurations, monitoring the platforms, and understanding their connection with other applications. Key questions would be whether the platform has PII and if your SSO/IDP solution safeguards it.

Imagine you’ve successfully terraformed these SaaS ‘planets’, say Salesforce, ServiceNow, Workday, or Microsoft. But what next? How do you identify and secure the upcoming SaaS applications?

The Head of Enterprise Security at a large tech company recently told me:

“We need to detect applications early in the life-cycle and be intentional about securing them, but the number of SaaS applications out there is overwhelming.”

Criteria for Terraforming

Ideally, the aim is to detect these ‘proto-planet’ SaaS applications (those with a limited user base) before they pose a significant risk and initiate early terraforming. But it’s impractical to terraform everything! So, the question arises: Which ones do you prioritize?

Here’s where another quote from a Head of Security Engineering at a large tech company becomes particularly pertinent:

“If there are more than 50 users within a system, it’s our policy to have it behind our IDP and inside our vendor risk management program.”

Here are some other considerations to keep in mind: Does the application contain sensitive data like PII or PHI? Often, vendor risk management comes into the picture much later. Ultimately, the focus should be on the application lifecycle. The capability to detect SaaS applications in your environment is vital, but detection alone isn’t sufficient. Even knowing user access is of limited value in isolation.

Moreover, after discovering these applications and understanding their thresholds, how do you decide which ones to expel and terraform? This requires a comprehensive understanding of the risk they pose and how deeply they’re entrenched in your environment by connecting to other SaaS platforms.

Terraforming in Action

So you’ve captured a new ‘planet’. What’s next?

Step 1: IDP/SSO Integration

Firstly, integrate all access routes with your IDP/SSO provider. This ensures that no user can directly access these applications. It imposes robust authentication policies, including stringent Multi-Factor Authentication (MFA), across the board.

Step 2: Privilege Check

Secondly, take control of privilege assignments. Identify key platform owners and limit the number of ‘super administrators’ to five or less. Rule of thumb: If you can control one thing, make it this.

Step 3: Data Protection

Next, review the data stored and its exposure level. Tools, particularly productivity tools, store valuable data to optimize their utility, but often this data is exposed publicly to ensure seamless operations. The catch? This presents a potential goldmine to attackers. Your goal: limit data exposure and establish strict sharing rules.

Step 4: Connections Clean-Up

Then, inventory and review all OAuth grants and other integrations that could access sensitive data. Remove unused integrations, scrutinize and control privileged OAuth grants—the idea: Weed out potential data leak points.

Step 5: Implement SaaS Threat Detection

Now that you’ve proactively locked down your SaaS, it’s time to stay vigilant against residual risks. Attacks can still get through, so implement threat detection mechanisms to respond quickly to any anomalies. This involves pulling all relevant audit logs and rationalizing accounts across services to understand users’ behavior and access across all your SaaS.

Step 6: Stay Vigilant.

Lastly, repeat these steps across all platforms with a regular cadence. Consolidate data and configuration information in a central location to detect policy breaches early before they become the norm.

Boldly go and garden your galaxy. Should you need a Starfleet, Obsidian is ready to engage.