Most organisations have already initiated their journey towards the cloud. If this is you, or you’re evaluating the transformation, today you’ll learn:
1. How to determine the number of SaaS services you are currently using or will use,
2. What data is sent to the cloud in the operation of your business,
3. How to know whether your cloud environment has been properly configured,
In covering the first point, you should develop a comprehensive list of cloud and SaaS services that you’re currently subscribed to. Some common ones are listed below:
• Microsoft Office 365 or G-Suite for daily operational activities
• Xero for accounting and finance
• Jira for project management
• Salesforce, Zoho, Pipedrive or HubSpot for your CRM
• Workday for HR information
• GitHub as a source code repository for developers
• Slack for instant messaging
• Okta for Identity and Access Management
Once this has been done, it’s time to cover the second point laid out above: building out an inventory of your third parties that are hosted SaaS solutions. You’ll need to understand what kind of data is being sent to each service, and the sensitivity and confidentiality of this data, such as:
• Personable identifiable information (PII) stored in your CRM
• Your employees’ medical information stored in your HR program
• Proprietary software code stored in repositories like GitHub
Since this type of information is often stored in a SaaS environment by specific individuals in a company, those individuals have a responsibility to keep that data secure and to ensure that it doesn’t fall into the wrong hands.
Which brings us to our third and final point…
In order to ensure that a SaaS product has been securely configured, four main capabilities should be thoroughly considered:
1. Detection of account compromise: through this capability, you must be able to measure users’ activities, as well as log data from the SaaS provider, in order to see anomalous activity such as changing IP addresses within the application.
2. Detection times and response capabilities: assuming that an account has been compromised and a specific login credential has been posted on the dark web, the next step for the threat actor is to plan an attack, such as accessing a sensitive file or folder. The SaaS solution you’re reviewing should ideally have a clear approach to both their detection and response capabilities, providing an easier means by which to detect incidents and respond to them efficiently.
3. Configuration and compliance capabilities: a substantial number of data breaches occur due to misconfiguration of a SaaS service or the lack of compliance against a specific standard. For instance, organisations will often lose sensitive data through the misconfiguration of their Amazon S3 environment. Carefully defining required controls helps to prevent these occurrences.
4. Access and privilege management capability: for critical business applications, you’ll often require an enforcement of least privilege, therefore preventing the harm that any one person can cause. An easy method to achieve this is controlling access via a Single Sign-On solution. Bear in mind, however, that not all SaaS providers will offer this integration.
Thanks for reading!
By implementing the above-mentioned steps, you’ll be well on your way to improving the security of your SaaS services.
Should you require any assistance, or are interested in an expedited path toward achieving cloud security, Rezilens offers a comprehensive Cloud Security Maturity assessment within our GRC platform. Feel free to get in touch to learn more.