Finger touching tablet showing SaaS and information assets

This is What We Mean by Protecting Crown Jewels

The SaaS revolution has upgraded enterprise data goldmines to platinum, and the security leaders charged with protecting them have never been more worried about data loss risk. Digital migration is also redefining the scope of information warranting protection. Our reliance on SaaS across every facet of contemporary business operations–sales & marketing, R&D, customer support, finance, legal, HR, etc–has extended accessibility to nearly all enterprise resources. The migration to more collaborative SaaS platforms, meaning that legacy on-prem products are now available on the cloud, increases their exposure and has dramatically impacted their oversight and management.

It is critical to properly acknowledge this shift to mitigate the full extent of risk this represents; Specifically, the increased value of data itself as well as the variety of organizational resources made available via SaaS, which we accordingly argue should be referred to as “assets”. In short, SaaS is no longer the “USB in the cloud” for data exfiltration. It is an extension to our self-hosted infrastructure, and we should treat it as such. To appreciate just how valuable enterprise assets have now become, consider the following examples:

Production assets

CI/CD platforms are tools that help development teams rapidly release code by automating build, test and deployment processes. CI/CD SaaS platforms are commonly leveraged by enterprise R&D departments to increase development velocity. They are markedly faster than attempting to manage CI/CD agents and environments on-premise. Common CI/CD platforms include CircleCI, Jenkins, GitLab and Bitbucket.

CI/CD platforms have access to a wide range of company assets, such as cloud resources, 3rd party integrations (Slack, Sentry, etc) and production environments. The latter point of accessibility is most unsettling. It means that a rogue ex-employee can access production servers and harm enterprise environments if they aren’t offboarded correctly.

Source code assets

Every company’s source code is managed by a version control platform to enable teams from all over the world to collaborate in harmony. They not only have access to the source code itself but often save it on their own servers.

Such solutions have tripled source code exposure over the last quarter alone, and will continue to do so as we adopt unsupervised external services that require access to our assets. This is causing enterprises undue strain. Consider Mercedes-Benz or CodeCov’s massive code leaks via unsecured Git web portals. Moreover, just as with CI/CD Saas solutions, source code SaaS runs the same risks from disgruntled, or simply careless employees.

Sales & marketing assets

Sales & Marketing (S&M) are two major pioneers of today’s “SaaS sprawl”. CRMs and marketing flows have generated the need for thousands of tools and solutions across all aspects of the sales and marketing process. Most of them are available via one-click accessibility.

Many record and transcribe sales calls, generating actionable analysis and insights on later pitching. Arguably, these customer conversations and client lists are some of the most sensitive business assets SaaS can reach. Security leaders must also worry about S&M SaaS compliance, which is often lacking and exposes enterprises to GDPR and CCPA violations. Consider Volkswagen’s scandalous leak caused by a third-party sales vendor, which impacted 3.3 million customers.

Customer communications tools

Customer support tickets and system updates are also managed today through SaaS tools. This includes  solutions used to streamline and manage communications with customers and platform users. Customer-facing SaaS platforms are typically  accessed by sales, support and R&D departments. They often hold customer email addresses, previously sent emails and other sensitive information.

These assets are as important to revenue retention and growth as they are to a company’s overall reputation. And they can be put at risk by something as innocuous as an accidentally-sent test email to entire customer bases. Many security teams do not fully appreciate how common these mistakes are and just how harmful they can be. Thankfully,  simple periodical recertification can dramatically reduce the risk of a rogue user causing damage.

General and administrative assets

Administrative assets touch multiple sensitive points of enterprise operations, including HR, finance, business operations and legal. They are widely used to manage employee information, recruitments, salaries and options, legal files and contracts.

Administrative assets are often overlooked by security due to their less technical nature. However, these are perfect access points for corporate espionage and theft, and  data breaches across these fields can cause a great deal of damage. Consider how much access to customer contracts and information is readily available to company salesforces, or how much information about employee salaries and other HR-related material are currently stored in company systems.

Appreciating the full scope of digitized enterprise assets

If the SaaS revolution has not spared any aspect of enterprise operations, neither can our security considerations. Enterprise data and resources, better referred to collectively as assets, has become far too valuable. The only way forward is to properly know, understand and track what kind of access the SaaS solutions we leverage have to our data assets.

Reliance on #SaaS across every facet of business operations has extended accessibility to nearly all enterprise resources. It is critical to properly acknowledge this shift to mitigate the full extent of risk this represents. #cybersecurity #respectdataClick to Tweet

Every organization should be responsible for knowing who can access which assets, fully govern accessibility to them and prevent past employees from using them. As more of these assets are migrated from on-premise IT-managed solutions to SaaS platforms, it is critical to recall just how few of them have true SSO support. Only then will IT and security teams be able to sufficiently manage the security and compliance of these crown jewels.

 

R&D Team Leader at Grip Security