Securing SaaS applications can require a multi-pronged approach, requiring strategies for everything to access management, SaaS monitoring, and more.
With 99% of all organizations using one or more software-as-a-service (SaaS) applications, every organization’s cybersecurity is affected by the security of their SaaS applications and usage. There are more security difficulties and risks with SaaS in the mix because, unlike with traditional software, customers don’t have complete control over a SaaS or its infrastructure.
In this article, you’ll learn why you should care about securing SaaS applications, and we’ll explore a set of strategies and security best practices to help you do it effectively.
Why SaaS Customers Should Care About Securing SaaS Applications
When a potential customer evaluates a SaaS, they often focus more on its functionality and features rather than security. Often, there’s an implicit expectation that a SaaS vendor is responsible for all application security aspects and has implemented them perfectly.
Though the expectation is justifiable, the shared responsibility principle of SaaS necessarily places some security responsibilities on customers too. A customer is responsible for:
Data security: A customer is responsible for the security of the data provided to the SaaS. You are expected to follow principles like data encryption, either using the service provider’s features or implementing them yourself.
Access control: A customer must ensure that its SaaS users — employees, contractors, partners, and software systems — have their access restricted and monitored, using secure practices like the principle of least privilege (a user gets only the permissions they need for their task) and scheduled revocation of permissions.
Device management: A customer is responsible for securing SaaS access from the devices — like smartphones — used by its employees.
Customer-side incident response and threat protection: The combination of a customer’s operations, applications, infrastructure, and devices create customer-specific vulnerabilities in their SaaS usage and data. The customer is responsible for detecting and mitigating them.
SaaS Security Strategies
Every SaaS customer should adopt security strategies — a set of principles, policies, best practices, and implementation approaches necessary to address a set of SaaS security concerns. We’ll explore some of these strategies next.
1. Organizational Visibility Into SaaS Usage
A major problem — called “Shadow IT” — is that your security teams may not even know about all the SaaS your teams are using. Organizationally, your company’s security operations center (SOC) and its security teams are responsible for maintaining your SaaS security posture. However, SaaS purchasing is decentralized and done by individual departments.
To keep your security teams updated on all SaaS usage in your organization:
Continuous monitoring of SaaS security logs and security-relevant metrics are critical to detecting cyberattacks and intrusion attempts. They’re also essential for forensic analysis of past cyberattacks and compliance with security standards.
Employees can use chatbots to request new SaaS infrastructure, configuration changes, and permissions without friction.
The security automation and automated workflows automatically assign and revoke permissions to SaaS features and data based on employee requests.
They help practice and promote standard operating procedures for security in your organization.
4. Authentication Strategies
Authentication is an essential security control that determines which users are allowed to access a SaaS resource or feature. Set up an authentication strategy by following best practices like:
Admins and other users with privileged access must undergo multi-factor authentication. Follow strong authentication techniques, like issuing FIDO2-compliant hardware keys, to minimize malicious login attempts.
Introduce two-factor authentication for all users wherever possible.
Enforce strong unique passwords and time-based, one-time passwords.
Follow best practices of OAuth 2.0 and OpenID Connect for software systems that talk to SaaS.
Implement single sign-on (SSO) so that the same user identities are used in all company SaaS. This way, your security teams will find it easier to map security events and actions back to people.
Follow zero-trust principles, like monitoring user behavior even after successful authentication.
5. Access Management
Access management is one of the most effective security measures against a variety of cyber threats. It involves actively managing and monitoring the issuance and revocation of permissions to SaaS users. To have secure access management, your organization should follow best practices like:
SaaS users should only get those permissions they need to carry out their jobs productively.
Access policies should be centrally administered using technologies like active directory, role-based access control, and attribute-based access control.
Access management should be integrated with a source of truth for user lists, like your HR management system. That way, access granted to an employee is automatically revoked when they leave your organization.
6. Behavior Monitoring
A user and entity behavior monitoring strategy helps your security teams detect and prevent anomalous actions by your SaaS users and software systems. Anomalous behavior may be an indicator of compromised credentials, malicious insiders, or malware.
At the same time, this strategy should have a clear, manageable way to handle false alarms to avoid alert fatigue in security teams.
7. Information Security
Information security is the biggest concern when using a SaaS. Although the SaaS stores your data, you are responsible for many data security aspects for both data at rest (i.e., data in a stored state) and data in transit (i.e., data that is sent to or fetched from the SaaS).
A robust information security strategy should address the following:
Whether at rest or in transit, all data should be encrypted whenever possible.
Key management strategies should be adopted to administer encryption keys securely.
Customer data access, storage, retention, and deletion should comply with all relevant regulatory standards and local laws.
8. Device Management
For productivity and convenience, many users prefer to use SaaS apps from their personal or company-issued smartphones. This allows insecure and malicious apps to easily coexist on the same devices as where your SaaS client apps and SaaS data reside. Data extraction and breaches are serious cyber threats in such situations.
That’s why smartphones greatly increase the attack surface (i.e., the set of all access points through which cyberattacks can be launched) of your organization.
To combat such risks, your organization should have robust strategies for endpoint protection and threat detection. In addition to technical strategies, people strategies like training and awareness should also be part of your security measures.
9. Secrets Management
SaaS usage involves the use of a large number of secrets like:
Cryptographic key pairs for public-key authentication
OAuth access and refresh tokens for application programming interface (API) access
They should be managed securely to prevent malicious parties from accessing them. Secrets management involves policies like:
Secure encrypted storage of secrets
Secure access to a secret, subject to access control policies
Secure transmission of a secret to the user
Regular rotation of secrets (i.e., changing secrets regularly to prevent the use of old credentials that may have been leaked unintentionally)
10. Policy Enforcement Scaling Strategies
All the strategies above implicitly assume that every SaaS is amenable to them. However, with every organization using about 110 SaaS services on average, the reality is that implementing these strategies effectively and consistently across dozens of diverse SaaS is very difficult.
That’s why you should consider strategies to scale up the enforcement of your security policies as your organization’s SaaS usage grows. You should look into solutions like:
Cloud access security broker (CASB): A CASB is deployed inside your network perimeter as a central gateway for all SaaS access. It can enforce a common set of security policies on all your SaaS usage and API calls before they leave your network.
Cloud security posture management (CSPM): CSPM is a wider strategy that covers everything related to cloud services — including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), SaaS, and other cloud providers — under a common set of security and compliance policies.
SaaS security posture management: This strategy involves software solutions that have in-depth specialist knowledge about the concepts, vulnerabilities, and threats faced by specific SaaS applications. They enable your security teams to use the expertise of security professionals who have an in-depth understanding of different SaaS applications.
11. Incident Response and Recovery
Despite all these preventive and detective security strategies, you’ll always have at least a slight risk of cyberattacks that can make sensitive data available to malicious parties.
For example, in April 2022, customers of three popular software development SaaS — GitHub, Heroku, and Travis CI — faced supply chain attacks (i.e., attacks that target a SaaS through one of its dependent SaaS) using stolen API credentials. Many companies and individuals who had implicitly trusted their SaaS providers to protect their data and privacy were affected.
As a SaaS scales up its users and features, such threats become inevitable. The wisest strategy is to assume that one or more of your SaaS vendors will be attacked eventually and that you’ll face a data breach, data loss, or worse. You should assume the same about your cloud infrastructure too.
With such a when-not-if mindset, your organization should follow robust procedures for incident response and recovery. Your strategy should include:
Regular data backups for all your SaaS data
Data recovery procedures that are regularly tested
Fallback strategies to serve your customers even while you are under attack
General disaster recovery procedures
ThreatKey Can Help With Securing SaaS Applications
So far, we have seen a variety of strategies for securing SaaS applications. They ensure that all your SaaS usage and data remain secure and protected at all times.
ThreatKey is a company and service that specializes in securing SaaS applications. We support popular services like Google Workspace, Microsoft 365, Salesforce, Box, GitHub, Okta, and Slack.
Our service continuously monitors the configurations and logs of these SaaS applications looking for possible vulnerabilities and misconfigurations. We report them to your security teams and can even automatically remedy them. Try ThreatKey for free.