26 November 2021
Organisations have been consuming SaaS applications to a level rapidly approaching 70% of their application estate, a tenfold increase in the last five years. Many of these applications may not be considered business-critical, but do you consider how they hold company data? Yet the oversight of these apps from a risk and security perspective may not have kept pace with the uptake of apps.
Third-Party Risk Management (TPRM) and Due Diligence processes may include the Vendor risk profile and their SOC 2 compliance, but are the Security Control requirements of your organisation being fulfilled too?
Security teams are challenged to ensure that these apps have security control policies fully applied, the majority of which are managed by third parties. But can you be sure that the third party has best practice in their security approach? Has a default setting remained unchanged, or is a simple misconfiguration going to lead to an unforeseen breach?
Even when the expectation of a SaaS app is minimal maintenance, will your app owner keep pace with the new features released, and ensure they update the infosec team of any change in service provision?
Therefore, greater attention is required after vendor on-boarding is complete, with both the GRC team working with the Security team(s) to ensure security controls are not only set at the outset, but regularly reviewed and continually considered with a SaaS Security Posture Management approach.
Risk and Security teams should examine their TPRM approach, step beyond a “point in time” approach, and start looking deeper into the problem through continual analysis.
And there are a few more things to consider –
You may already have a CASB solution, but is the process robust enough/sufficient to highlight further shadow, its deployments, or monitor potential data loss?
Are the security controls available in every SaaS application fully configured?
Is MFA used on every account access?
Can you detect if security controls are drifting?
SaaS Security Posture Management (SSPM) may be your next security management product choice. But have you considered your current processes or looked at your risk and security team roles, and at least started with a minimum set of security controls for every SaaS app to gain an accurate understanding of where your security blind spots are?
Justin Gibbs – Head Of Cyber Security at KA2 Limited
For a more detailed understanding of this problem and how KA2 can help you to resolve it, please contact one of our domain experts.