For years, just about every update of consumer cloud applications would include new features that the user could configure around their personal taste, convenience, and preferred uses. Over time, and with increasing features and capabilities, what had begun as an application’s simple settings, was replaced by a proliferation of tabs, cascading drop-down menus, banners, breadcrumbs, hyperlinks, bookmarks, and more, creating a world of choices and individual styles. With the flexibility to tailor the applications, no two instances looked or worked in quite the same way. It was a pattern of burgeoning options that we experience today in business-critical SaaS applications, although often on a much grander scale.
In principle, having flexibility is appealing. In practice, it can be daunting. Many of the choices require in-depth knowledge of the features and detailed investigation to understand its impact fully. The challenge becomes exponentially more complicated as you manage an increasing number of applications, each bristling with its own set of options and configurations. In all too many cases, the tendency has been to accept the default settings and move on.
But in a world where data breaches are daily occurrences, greater care is required to manage and operate SaaS applications securely. Despite the buzz around the latest sophisticated cyber threats, by far, the most common cause of data breaches has been the misconfiguration of SaaS. With the growing sophistication of features and security settings, the opportunities for error have expanded tremendously. Beyond that, many organizations have neither the resources nor the expertise to configure SaaS security features or monitor deviations properly. But if your application is already a reputable one used by hundreds and thousands of enterprises, why should you have to worry about it in the first place?
While there are some things you shouldn’t have to worry about, like the cloud’s underlying hardware, its global infrastructure, or the stability of the application due to the 'shared responsibility' model of doing business adopted by leading cloud providers, there are a few parts that fall under the customer’s responsibility. Cloud customers are responsible for the security of the data once it enters into the application. Simple tasks such as making the data private or public come to mind. However, customer responsibilities go far beyond these types of functions. Ensuring encryption is turned on, assigning appropriate user access, or assigning broader role access are some of the configurations that must be considered. Settings such as ensuring the appropriate level of access by 3rd party applications or limiting access based on location and device type are just a small sample of responsibilities that fall on the customers.
The shared responsibility model also clarifies any liabilities as a result of SaaS misconfiguration. And as you may guess, the customers are ultimately liable. It is no surprise that Gartner predicts through 2025, 99 percent of all cloud security failures will be the customer’s fault.
So, what’s a customer to do? By now, many recognize that traditional on-premise management and security solutions, even when enhanced for cloud services, offer limited value. The cloud business applications market, until recently, has lagged in comparison to the overall growth of the SaaS market. For example, some office productivity applications continue to resemble the features and capabilities of the desktop-based predecessors. Remote work in the enterprise has changed that. Mission-critical business applications that run on-premise have become a hindrance to productivity in many cases.
SaaS adoption’s speed and scale, the accelerated time between product updates, and the benefit of anywhere, any device access, all pose significant challenges for traditional solutions. Trying to shoehorn such a solution requires substantial manual resources with minimal added benefit. According to a recent report, more than 90 percent of survey respondents have recently received additional responsibilities, and two-thirds have less time to manage and secure SaaS applications effectively. Additionally, 68 percent of respondents rely solely on manual efforts to detect data exposures.
The growing complexity of SaaS applications poses additional challenges as well. Release notes from SaaS providers usually span several hundred pages and are updated every few months. Merely keeping up with the updates, let alone crafting a comprehensive strategy, is often impossible with limited resources.
As organizations double down on their SaaS deployments to support work-from-home initiatives, they need to ensure that investments are made in the right support resources and tools. Often, the same IT and cloud administration resources are now being asked to support significantly more users than initially planned. In this case, the ease with which SaaS services allow you to scale quickly can work against you and easily overwhelm the administrative resources. The result of such imbalance will appear as increasing trouble tickets, low satisfaction from users, and in some cases, security-related issues such a data exposure or loss. Organizations should track these metrics as they continue to scale their work-from-home initiatives.
Many enterprises are now turning to a new generation of SaaS management and security solutions. Coined by Gartner as SaaS Security Posture Management, or SSPM, the new breed of solutions provide deeper integration with SaaS applications. It allows analysis of settings and configurations unique and relevant to the specific SaaS application in question. Organizations that utilize sandbox environments to roll out SaaS updates can leverage SSPM solutions to verify all settings before rollout and use the same solution for ongoing monitoring in the production environment.
With SaaS applications’ growing features and security capabilities, an increasing portion of the shared responsibility now falls on the customers’ shoulders. Fortunately, a new breed of solutions is designed to address the changing times and help manage and automate much of what the SaaS customers are now responsible for.