The rise of SaaS security teams

In this Help Net Security interview, Hillary Baron, Senior Technical Director for Research at CSA, highlights that the recent surge in organizations establishing dedicated SaaS security teams is driven by significant data breaches involving widely used platforms.

What motivated the recent surge in organizations establishing dedicated SaaS security teams?

We’ve seen some serious data breaches and at the very least the potential for a significant breach in the past year, involving Microsoft 365, Salesforce, and ServiceNow. When data breaches and significant vulnerabilities make headlines, it follows that companies will review their SaaS security posture and make some adjustments, but these cases were especially eye-opening just by virtue of their size and the fact that their software is so ubiquitous across both the public and private sectors. These cases really drove home the point of just how reliant we are on some of these companies, and the unique sets of challenges that come in protecting a SaaS environment at scale.

Companies have also started to realize just how much sensitive data they have housed across disparate — but nevertheless internet-accessible — locations and that they need to double down on their efforts to secure their SaaS apps. All told, I think it’s been a time of awakening, where companies are seeing not just an increase in the number of threats and attack vectors but are recognizing how vulnerable they are. They have begun to understand that not only should they take better control of their own SaaS security but that it’s within their ability.

How is the role of AI and machine learning evolving in the context of SaaS security?

AI and machine learning are certainly playing a growing role within SaaS security especially in the areas of advanced threat detection, automated incident response, and in various predictive capabilities, whether it’s behavioral analysis or threat prediction.

These advancements will help enhance and automate security operations, as well as help integration with other technologies and solutions within an organization’s cloud ecosystem in order to provide greater security, scalability, flexibility, and consistency. In general, AI and ML advancements will help SaaS security to become more intelligent, adaptive, and proactive—all which are crucial for securing dynamic and complex environments.

What best practices would you recommend for organizations setting up dedicated SaaS security teams?

The challenge of securing a SaaS environment demands a multifaceted security strategy and that starts with a strong SaaS security team.

Providing education in line with employee’s job functions is essential. So, for security teams that means ongoing training and professional development opportunities so they are up-to-date on the latest threats and technologies. Training is particularly important when it comes to the tools they’ll be utilizing in order to fully take advantage of the capabilities offered.

A security team is only as good as the tools they are given to work with so companies need to make sure that they’re deploying (and updating) advanced security tools that are tailored to cloud applications.

Teams also need standardized processes for incident response, regular security assessments, and compliance monitoring as an established workflow lends itself to consistency across an organization especially with the diverse nature of the SaaS ecosystem.

While not specific to setting up a security team, once the team is in place zero trust’s principle of “never trust, always verify” will go a long way to strengthening not only a SaaS security posture but that of the entire organization.

And finally, they need to know who all the stakeholders are and have relationships with each of them. SaaS security ownership and responsibility is often distributed so having established relationships with all key stakeholders will be critical for maintaining SaaS security and responding efficiently in the event of an incident.

What are the most common security threats specific to SaaS that these teams have to tackle?

There’s an old movie where a girl is getting threatening phone calls only to learn that “the call is coming from inside the house.” I think this best sums up what we’re seeing in terms of SaaS security threats, meaning that so many of the threats come as a result of what’s going on inside an enterprise’s SaaS environment.

Each application comes with its own security structure and terminology and security teams are having to deal with everything from intricate user permission entitlements, extensive configurations, and vast user bases. It goes beyond the apps themselves, as security teams also need to deal with involvement from multiple departments and stakeholders – everyone from their own security team and product sales to HR and legal.

All of these introduce inconsistency and potential security gaps that allow threat actors to gain entry and leverage these backdoors to their own advantage. Our survey found that the most common security incidents reported were data breaches (52%) and data leakage (50%), followed by unauthorized access (44%) and malicious applications (38%).

And the problems are only compounded in the wake of a merger. Fifty-five percent of respondents said that they found post M&A SaaS security to be particularly troublesome and pointed to disparate security policies, the harmonization of user permissions, and ensuring regulatory compliance across various SaaS applications as especially problematic. When it comes down to it, the SaaS environments are complex to manage and much of what we’re seeing with security threats is a direct reflection of that complexity.

What lessons can be learned from recent high-profile SaaS security breaches?

The recent spate of high-profile SaaS security breaches really served to highlight the unique vulnerabilities and challenges posed by SaaS environments. To mitigate the risk of a breach, organizations are encouraged to do the following:

• Review and update security settings often.
• Apply the principles of zero trust to ensure that users have only the permissions they need to do their job.
• Employ strong authentication and authorization mechanisms to ensure that people are who they say they are and that only those who need access are granted it.
• Conduct regular security audits to ensure security compliance and to identify vulnerabilities
• Provide user training to improve security awareness and adherence to best practices, as well as improve consistency. SaaS security falls on all users.
• Develop an incident response plan and perform test runs so teams are able to rapidly respond to breaches, reduce the potential damage and recover time.

What skills would you recommend for security professionals specializing in SaaS security?>

I think the most important skill for someone looking to specialize in SaaS security is a desire to keep learning and, above all, be flexible. In terms of practical skills, it helps to have an understanding of SaaS architecture, obviously, along with a solid foundation in cloud security, IAM, and data security.

Beyond the technical aspects, it’s important that people stay abreast of the latest security trends and threats and relevant regulatory and compliance requirements for their industry. This space is constantly changing and evolving so security professionals in SaaS need to continuously learn and adapt their strategies accordingly.

It’s also vital that they be able to communicate well and work with very different groups of people given the number of people from whom they need buy-in when working to create a security culture within an organization. Many of the people SaaS security professionals will be working with are not security experts – departments like IT, legal, HR, marketing – they’ll need to do a lot of educating about security best practices to foster a security minded culture within their organization.