Securing enterprises while using SaaS applications

SaaS applications are becoming a reality with Cloud-first policy and the ease and convenience of deploying new applications. According to Gartner, more than 50% new software purchases are likely to be via SaaS and new models of purchase. But this is giving rise to increasing security challenges as businesses take the initiative directly without consulting IT.

So can IT proactively engage with the organization to participate, prevent and safeguard from new risks? As I see it, IT led by the CISO can manage the challenge of shadow IT with a three-pronged approach: educate users; establish processes for procurement and deploy technology to secure the organization.

Educating Line of Business: Often businesses are not aware of the security risks of buying application directly and IT must take the initiative to educate businesses about the associated risks. While doing this, it is important to understand the buyer/business perspective.

For instance, buying experience in SaaS is completely different from traditional software wherein SaaS allows free trails and pricing is readily available. Therefore, business managers feel IT managers can be eliminated from the buying process. This also means that while the business head may be the buying decision maker, the person who evaluates SaaS maybe someone else.

Therefore, IT initiative to reach out to business users must be enterprise-wide—encompassing all levels of employees—explaining the nuances of security, performance challenges arising out of compatibility issues and integration challenges.

Establishing Process and Control:  IT must have a collaborative approach to win over Line of Business managers by providing the right information to empower businesses to make the right decisions.

There must be established processes to involve IT in buying decisions from evaluation stage to assess security risks including where the service is hosted, who the infrastructure service provider is; what kind of access will be required to enterprise resources; and what kind of IT support is needed.

Often businesses end up buying overlapping applications and services creating a SaaS sprawl, which increases security risks. However, by involving IT early via established processes, this can be eliminated. Sometimes an existing SaaS application may require minor modification or extensive customization to meet the needs of business in which case IT will need to take a call collaboratively with business after evaluating internal capabilities.

Ideally, SaaS applications must have integrations with HR to ensure employees who leave the organizations do not have access to the SaaS application.

Technology Intervention: Once buying decisions have been collaboratively made, IT must ensure that SaaS is securely deployed in the organization. This means assessing the criticality of data stored in the Cloud, who is accessing what kind of data and what kind of controls are put in place.

Using a Cloud Access Security broker (CASB), IT will be able to monitor all activities and enforce security policies including securing data on personal devices, limiting external sharing, detecting and preventing Cloud malware. A robust CASB solution can mitigate both internal and external threats by restricting data access and track and monitor behavior of users.

Increasingly, best-in-class enterprises are relying on zero-trust architecture to secure SaaS applications. This means every request by any user or machine is properly authenticated, authorized and encrypted. It calls for strong configuration of identity and access management; enforcing permission, authorization and privilege access rigorously to deliver granular access to resources while ensuring visibility and transparency.

As corporate networks extend beyond the firewall, IT is increasingly challenged to evolve and claim its status as the custodian of organizational security. To do this, IT must be allowed to lead the CISO office to engage proactively with business and become a partner in achieving business objectives while meeting security goals of the organization.

The author is CISO at Max Life Insurance Co

Sneaker