Why your SaaS configurations are putting you at risk
Software as a service (SaaS) has become critical to business operations, but the wrong configurations are leading to an increase in cyber risk.
In fact, SaaS misconfigurations may be responsible for up to 63% of security incidents, and 43% of organizations have dealt with one or more such incidents caused by SaaS misconfigurations, according to a recent survey by the Cloud Security Alliance (CSA).
Here's what you need to know about how to protect your organization.
Leading causes of SaaS misconfigurations
The two main causes of SaaS misconfiguration that can lead to security incidents are too many departments having access to the SaaS security settings (35%) and a lack of visibility into changes in the SaaS security settings (34%), the survey said.
"There are too many hands in the cookie jar," said Hillary Baron, senior technical director of research at CSA and one of the authors of the report. "Many times there are valid reasons for many departments to have access, but there also has to be a mechanism to provide visibility to the security department, because you can't protect what you can't see."
Jason Madigan, chief technologist for Booz Allen’s commercial cloud security and DevSecOps, said another leading cause for SaaS misconfiguration is the lack of training about how to configure the product.
"Specifically, organizations want to implement a new SaaS offering, but they don't have the expertise in-house and they don't hire and train appropriately," he said. "Further, the training is typically around a simple certification and does not always convey the details of an implementation that only experience brings."
You should focus on these settings
Although there are a number of settings enterprises should check to ensure that their SaaS apps are secure, at a minimum they should check sensitive data protection, encryption, admin privileges, and reporting rights, according to Andras Cser, an analyst at Forrester Research.
While the cause of misconfigurations will vary depending on the type of SaaS applications organizations are running, in general firms should focus on access, said Mike Rothman, president of Securosis, an information security research and advisory firm.
"Who can get in, and what can they do?" he said. "That's going to be a majority of your problems, managing entitlements from that standpoint."
Companies need to ensure that they don't have overly permissive access rules and that the individuals allowed to connect don't have too many privileges within an application, he said.
It's also important for organizations to implement identity and access management correctly, paying particular attention to any third parties that can access the SaaS systems via API tokens, said Madigan.
Work with your SaaS vendors
Additionally, enterprises need to ensure that their SaaS providers have the same security rigor as they do, said Ali Davachi, the founder of Realware, an IT services and consulting company.
"If you have to comply with HIPAA or SOX, whatever your security threshold is, you should never go down to meet your SaaS provider," he said. "You should make them come up to meet you, so you're not adding any further risk to your business." This isn't a technical problem, he added; "it's a governance, compliance, and risk problem."
Manual remediation leaves organizations exposed
Companies that manually monitor and remediate their SaaS security settings leave the business vulnerable, according to the CSA survey.
"Manual checks take a long time," CSA's Baron said. "So if [companies] check all their security settings for misconfigurations every month, it's extremely time-consuming."
And once the security teams find a misconfiguration, it takes them additional time to remediate it, she said. About one in four take a week or longer to manually resolve a misconfiguration, which leaves organizations vulnerable.
Also, manually checking configurations is limited to a point-in-time view of the services and also introduces the potential for human error, according to Booz Allen Hamilton's Madigan.
"Continual configuration scanning of products is required to understand the current attack surface state at all times," he said. This provides insight into configuration changes and provides near-real-time alerting around critical configuration implementations that cause software to become insecure, he added.
Quickly detecting, understanding, and remediating these configuration drifts can reduce the ability of an attacker to take advantage of the weakness that was created, Madigan said.
"Further, many SaaS platforms allow for configuration as code, and many of the tools that supply real-time scanning of live configurations have components that can integrate into the developer workflow," he said. "This can prevent vulnerable configurations from ever reaching production as well as help to educate engineers on the platform."
The biggest problem with manual detection is the human being, according to Realware's Davachi.
"We try to build policies, we try to train, we try to do all these things, but everybody makes mistakes," he said. "Even the best, most hardened security people make mistakes," he said. So with manual detecting and remediation, assumptions start to creep into the process and "once assumptions start to creep into the process, you're opening the door for the oversight to not be as rigorous as it should be."
'Automate or die'
To prevent security incidents due to SaaS misconfigurations, organizations must explore automation and other tools to shorten the timeline needed to detect and remediate SaaS misconfigurations, according to the CSA survey.
Organizations that use SaaS security posture management (SSPM) tools, for example, can detect and remediate their SaaS misconfigurations much faster than doing it manually, according to CSA's Baron.
Most of the organizations (78%) using SSPM tools checked their SaaS security configurations weekly or more frequently, the survey said. Of the organizations not using SSPM tools, only 45% were able to check weekly or more regularly.
"When resolving the misconfigurations, 73% of organizations using an SSPM resolved it within a day, and 81% resolved it within the week," according to the survey. Of organizations that don't use an SSPM, only 36% resolved the misconfiguration within a day and 61% resolved it within a week.
This information indicates that SSPM users reduce the time their companies are exposed and likely to experience security breaches, according to the survey.
Companies should centralize authentication and authorization to as few services as possible, Booz Allen Hamilton's Madigan said.
Forrester's Csar agreed that automation is crucial to addressing SaaS misconfigurations.
"Automate or die," Csar said. "You can't manage this on an Excel spreadsheet or manually. You have to use periodic checks of SaaS configurations, prevent drifts, and combine policies with access patterns to defend against threats—continually."