Enterprises are scrambling to adapt their security programs for the new remote workforce era ushered in by the COVID-19 pandemic. Yet the remote workforce's increasing reliance on SaaS applications -- combined with the dissolving of the network perimeter and ineffectiveness of traditional security mechanisms in the cloud -- creates challenges IT departments often aren't ready to face.
"One day we woke up and 100% of the workforce was remote," said Frank Dickson, program vice president at IDC, commenting that the COVID-19 reality illuminated weak spots in enterprise approaches to SaaS-based applications. "While these trends were happening before, COVID-19 took two years of digital transformation and packed it into two months."
The often easy-to-use, cloud-based applications help bolster communication and collaboration between dispersed employees. For example, popular SaaS applications such as Salesforce enable companies to better target prospective customers and expand sales. Box, another widely used SaaS application, lets users securely share and edit a variety of document types with simple links and URLs, cutting back on emails and correspondence. And, sure, SaaS can spare enterprises from having to purchase, host and maintain on-premises software and infrastructure. But like any growing technology, SaaS introduces concerns that IT admins must address with the right policies, technologies and strategies.
Common SaaS security misconceptions
One of the top security issues with enterprise SaaS use is that subscribers often make the false assumption that encryption and other security capabilities are built into their applications.
"People take for granted the application is secure -- and that's not always the case. The customer is only as secure as the measures taken by that SaaS application," Dickson said.
Some SaaS functions protect users and data, such as data loss prevention (DLP), multifactor authentication (MFA) and identity access management. Other services offer little or no security, requiring the enterprise to implement their own measures.
Dickson pointed to the importance of the shared responsibility model -- a relationship between the provider and subscriber that defines which security aspects the provider is responsible for versus the subscriber. Enterprises should follow this model to securely deploy and manage SaaS, he said, but it is not always well understood.
Doug Cahill, director of cybersecurity at ESG Global, an IT research and strategy firm, echoed the sentiment. "It's different consuming an application as a service rather than when it is on premises," he said. "The third party bears some, but not all, responsibility. The subscriber bears some responsibility in knowing where their responsibility starts, which is confusing for a lot of them." For example, Cahill said, data security is always the subscriber's responsibility. While the cloud provider may provide security controls to do it, ultimately it's up to the subscriber to effectively use those tools.
Best practices to achieve SaaS application security
Once IT and security teams understand their security responsibilities, they can take many actions to better secure their applications. According to Cahill, best practices should start from the ground up with enterprise employees.
Frank DicksonProgram vice president, IDC
"The first best practice is culture," he said. "There needs to be organizational alignment on the needs and risks a SaaS application introduces, as well as a cultural shift where the IT and security teams both understand the need for a business application."
This leads to Cahill's second best practice: policy. Once user needs and the accompanied risks are established, companies must set new security policies and revisit old policies to ensure security for employees and the enterprise.
Enterprises should also focus on implementing technologies, such as MFA and single sign-on, which fall on the shoulders of IT admins.
"If users have to jump through too many hurdles to access the applications they need, it causes problems," Dickson said. "A good user experience is essential, as users must access many different applications multiple times a day in order to do their jobs." A positive user experience can benefit enterprise security, he added. "If security is hard or painful, users won't get their jobs done or be safe, which then puts the rest of the organization at risk," he said.
A glance at the SaaS vendor scene
The vendor market is growing in response to enterprise thirst for more secure SaaS. Cloud access security brokers (CASBs), for example, have become integral to helping SaaS-subscribing enterprises track, inventory and manage cloud application use.
"CASBs will, first and foremost, discover all SaaS applications -- sanctioned and unsanctioned -- and provide a risk rating," Cahill said. "CASBs will go a step further and also provide a level of threat protection and inspect the contents of a cloud."
Cahill and Dickson also noted that a new wave of SaaS security tools is emerging. Both pointed to Google's G Suite, McAfee and Microsoft GeoCloud as the vendors and products to watch. These companies encompass a modern form of security for SaaS applications that involves a converged approach using identity and privilege management, cloud security gateways, secure web gateways, DLP and more. Each vendor differs in how it applies these functionalities and the strength of its offerings. For example, while McAfee combines all these technologies, Symantec has stronger encryption and rights management capabilities, according to IDC market research. Other companies, such as Forcepoint, provide a single console and cloud-enabling in their product portfolios but require companies to integrate DLP tools themselves. The bottom line is that leading vendors use varied approaches in terms of how they are utilizing capabilities to secure SaaS applications. It's also important to note that these products alone are not enough to secure a SaaS-filled enterprise.
"All these technologies are here, but that doesn't necessarily mean they're well-adopted or well-applied," Dickson said. "IT architectures are like oil tankers -- they don't move fast. Digital transformations are large, multi-year initiatives."