SaaS Security Risk Management Checklist for CISOs


When it comes to SaaS security, the focus so far has mainly been on the risk of the SaaS vendor. Historically, this makes sense because when SaaS services first started, companies worried about where the data was stored and the security of the provider. In response, certifications such as SOC2 (created in 2010) and ISO 27001 (published in 2005 and updated in 2013) have been established to help companies objectively benchmark SaaS vendor practices and compliance with industry best practices. sector.

SaaS has changed significantly over the past 10 years. The use of SaaS is prolific in every business, and it is often acquired by individual employees and not always purchased centrally by the IT department. SaaS risk goes far beyond simple vendor risk, and is now determined by company-specific factors that most companies still don’t factor into their risk calculations, because risk is always assessed. as if the supplier’s risk were the most important factor. The result is that most companies run SaaS using an outdated framework and have huge blind spots. SaaS security operations have also changed, and you can read our SaaS Security Best Practices Blog to learn more about how companies need to change their approach to SaaS security.

The following checklist identifies key risk factors that CISOs need to understand to effectively manage their SaaS risk, beyond industry standard certifications. The checklist was developed by Grip Security in collaboration with hundreds of CISOs who contribute to the development of our flagship product SaaS security control plane the solution.

Find out how many SaaS applications are in use?

The foundation of any SaaS security program requires a comprehensive inventory of all SaaS applications in use. Many companies use single sign-on (SSO) Where identity providers (IdPs), and that’s a good start. However, most do not have a good inventory of SaaS used when the employee created an account using local application credentials. CASB provide another layer of data, however, they are unable to discern whether the employee has created an account or is simply visiting the site. This SaaS inventory should also cover accounts created by former employees who are still active. It’s much more common than most people think.

Identify the data used in the SaaS application.

Data governance is a critical aspect of a security program and SaaS makes it especially challenging. The best source to identify the type of data that will be used is the users themselves. However, collecting this information from each user for each SaaS application they sign up for is cumbersome and time-consuming. Automation can make this part of the SaaS onboarding process, and gathering this information is essential to any robust SaaS security program.

Monitor the number of employees using a SaaS application

The ease of use of SaaS has caused a huge increase in the number of applications used in a business. By some estimates, there are over 15,000 SaaS companies in North America, and the average company uses nearly 200 different SaaS applications. Applications used by one employee are likely to pose less risk than those used by multiple employees. Understanding the number of employees using a SaaS application helps a company more accurately assess its level of risk and prioritize compliance actions.

Adoption of SaaS applications

The reality is that the number of users of a SaaS application will change over time, and an application that experiences a large increase in users deserves special attention to ensure that users adhere to the security policies of the SaaS application. ‘company. Users can belong to the same department or completely different offices. The density of users within a function is also a risk factor posed by the application. For example, if 10 people in finance are using an app and sharing data, that’s a very high level of risk. But if 10 people in 10 different departments are using the app with little or no collaboration, that’s less of a risk. The key is to monitor adoption growth so that risk can be accurately assessed.

Authentication method used for a SaaS application

When creating a SaaS account, users are often given the option to authenticate using an IdP or local credentials. Although company policy may be that users should use the official IdP, many users will use their email address and reuse one of their passwords. Knowing the authentication method used allows security teams to contact and instruct the user to use an IdP and comply with company policy. Existing solutions, including CASBs, have no way of collecting this information. This can be done by the Grip SaaS Security Control Plane solution.

Number of applications or SaaS accounts that are no longer used

In SaaS security, the focus is on the SaaS apps in use, and what doesn’t get as much attention is the number of SaaS apps or accounts that are no longer in use. These may be the result of employee turnover, where the onboarding process did not cover unauthorized SaaS applications where the employee did not use an IdP. Or it could just be that the employee is switching apps, such as from Trello to Dormant SaaS accounts are a common blind spot and existing solutions such as CASBs are unable to discover or secure them.

Evolution of the risk of SaaS applications over time

SaaS risk is not static and evolves over time. Users can start with a freemium version with limited capabilities and then upgrade to a version with more advanced capabilities. As mentioned earlier, a single user can start using an app and then start inviting colleagues to start using the app as well. With the thousands of potential applications, a best-in-class SaaS security risk management program monitors changing risks over time and helps security teams prioritize their resources and efforts.

Grip SaaS Security Control Plan

Modern SaaS security has distinct and different requirements that are not fully met with traditional identity-, network-, or device-based solutions. These solutions assume that the company controls authentication, network access or the terminal used. With SaaS, the user can use an unauthorized application on a personal device while working remotely. The Grip SaaS Security ControlPlane solution helps companies modernize their security architectures to meet the specific challenges of SaaS.

With automation at its core, the SaaS Security Control Plane coordinates and automates security processes and enables security teams to scale, reduce workload, and enforce risk management policies on systems. disparate. Grip provides an end-to-end platform that identifies incidents, provides remediation options, and automates implementation from alert to security outcome.

The Grip solution does not require an endpoint client or a proxy or CASB integration. Installation is simple and only takes ten minutes. Contact us for a personal demo and a free trial or you can learn more by reading our data sheet.


About Author

Comments are closed.