What to consider when creating a SaaS security strategy

SaaS security -- meaning the protection of SaaS applications, not the delivery of security capabilities from the cloud -- is not a new discipline. Cloud access security brokers came into existence more than a decade ago to help organizations track the usage of, control access to and secure the data resident inside applications.

As the SaaS environment has expanded, however, enterprise SaaS security needs have changed. SaaS security was originally driven by compliance, but now, the primary motivation for many organizations is security.

Now, protecting applications from malware and ransomware is a critical capability for SaaS security. Identifying and remediating misconfigurations, such as weak or default password use, excessive user permissions and outdated authorization, are also important to avoid giving attackers an easy path to victory.

Yet, many security teams don't realize the scope of the issue. Unsanctioned applications result in blind spots, and the interconnectedness of SaaS applications with third-party extensions and other applications further obfuscates the scope of an organization's SaaS footprint and risk exposure.

From a product perspective, there is good news and bad news. In the positive column, an abundance of tools are available that address these SaaS security issues. Cloud access security brokers, SaaS security posture management, enterprise browsers, security service edge and Secure Access Service Edge all are worth considering.

The bad news is that, due to the abundance of SaaS security tools, organizations could struggle to figure out which ones to adopt.

While there is no single answer -- and security leaders must decide a course of action based on their use cases -- the following are attributes that should be prioritized when adopting SaaS security products:

1. Visibility is the underpinning of any SaaS security tool. Insight into sanctioned and unsanctioned application usage, the third-party extensions connected via APIs, the data being accessed and what users do within the application are all necessary. This enables teams to craft specific policies to control use, limit insider risk and protect the applications themselves.
2. Flexible workflows enable security teams to efficiently collaborate with distributed application owners without creating an undue burden. Cybersecurity historically falls short in enabling effective coordination between security and line-of-business teams. This is especially true within SaaS security. Tools that make it easy for security teams to clearly assign tasks to application owners, and even automate some actions, help alleviate this burden.
3. Transparent UX is paramount. Ultimately, security teams must protect the organization, while enabling the business. Products that inhibit employees from being productive, rather than securely enabling them, are a difficult sell in the modern enterprise.

By prioritizing these attributes, security leaders can give themselves a head start as they create and implement a SaaS security strategy and find the right tools for it.

Editor's note: Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.