In recent years we have witnessed the transition of most organizational systems to SaaS or cloud-based platforms. The global market for SaaS solutions is expected to grow nearly 20% a year, reaching $883 billion by 2029. This is truly a new era of information decentralization, differing sharply from the previous era when most organizations stored information in on-prem networks.
While SaaS increases business efficiency, it also represents a significant challenge for CISOs, who now have less direct control over their organizations’ data, including business information, proprietary information, and even employee data, that is now overwhelmingly in various SaaS systems.
A preventative approach is required
At the same time, the CISO is still expected to be in control; even when there is a security breach in one of the SaaS systems, the company’s management looks to the CISO to take responsibility. But in many cases, after an incident occurs in a SaaS company, the CISO’s ability to take any direct action is limited. The CISO can only focus on damage control, crisis management, and trying to understand what company information may have been leaked. The CISO can try to evaluate the ramifications of any exposed or stolen data, and get ready for possible extortion from the attacker.
In most cases, when a cyber incident occurs at a SaaS provider it is already too late. Therefore, CISO must act beforehand, and proactively.
Vendor risk assessment
Of course it is crucial to ensure that the SaaS provider has the appropriate cyber certifications. But this is not enough; it is essential to have a dialogue with the provider to evaluate its cyber maturity. CISOs need to work with the SaaS company to understand exactly what kind of penetration and other proactive testing they have done. A CISO also needs to understand the security within cloud companies themselves, including the background of employees and who has access–or could gain access- to the physical servers that contain sensitive data. Bad actors inside companies—or even employees who lack security training and are vulnerable to phishing attacks or online extortion that could result in information leaked to a potential attacker—are a danger that should not be overlooked.
Finally, CISOs should vet the third-party add-ons available in their marketplaces, which are often not secured or tested by the provider.
Keeping track of what information is where, and what to do if there is a breach
Companies need to establish a clear policy of organizational information sensitivity control. This entails mapping out which information is approved for which SaaS system, keeping in mind the cyber security maturity of the SaaS provider, and constantly updating this information map. More than once during a cyber incident, we find that the CIO and CISO do not know in real time what information was in the SaaS infrastructure. Knowing the location of all information is a key component to developing crisis plans, including those that allow for business continuing during SaaS data breaches.
Configure correctly and monitor closely
CISOs need to remember that the SaaS provider does not take care of security configurations. Organizations need to correctly set these configurations themselves. Even if everything is configured properly, there is still an ongoing need for monitoring. A CASB system can help with this. API security is a critical activity to protect sensitive data and systems from unauthorized access, tampering, and attacks. In any new connectivity with a SaaS provider, it is required to thoroughly examine the issue of API security.
It is recommended that every CISO also carry out intelligence monitoring on the Internet and the DarkNet to detect leaks of the company’s information from the SaaS infrastructures. This will help identify developing events at the SaaS providers, and allow companies to act proactively to contain a potential event.
A wider change is needed
On an industry-wide level, several things also need to change, including re-evaluating the fact that SaaS companies can sell untested third-party add-ons to their products. In addition, it is unacceptable today that large SaaS companies that hold such sensitive information of many other companies are only required to show a limited level of general compliance, usually at best with GDPR, SOC2 Type2. We need an international policy that obliges companies of a certain size to prove with transparency that there is continuous and proactive security.
Sensitive data, customer privacy and business continuity are all at stake here. If CISOs focus on having the appropriate people, processes and technologies to carry out preventative measures, SaaS can be even more of a boost to business.
