5 Key Takeaways on Hacking the SaaS Security Journey

Recently Reco Cofounder and CEO Ofer Klein and Robert Kugler, Head of Security and Compliance at Cresta (a Reco customer), joined David Spark on his weekly CISO Series webcast to discuss hacking the SaaS security journey, an hour of critical thinking of how to secure SaaS applications in a holistic way. They dove into the objectives of a SaaS security journey, the evolution of SaaS and security priorities, and the best methods for aligning SaaS security with business goals.

‍

We highly suggest watching the entire episode! But here are just a few of the key takeaways. 

‍

Start with the “Embarrassing Questions” 

Don’t worry, personal embarrassing questions need not apply to SaaS security. What we mean by “embarrassing questions” here is the first step in an organization’s SaaS security journey: figuring out what you don’t know. 

‍

Ofer explained, “The journey always needs to start with what you have. The unknown unknowns…starts with understanding what you have in your environment.” 

‍

This first step of discovery can be uncomfortable because it begins with some “embarrassing” questions. The initial question in any organization’s SaaS journey sounds simple enough, but, according to Ofer, not a single customer has gotten it right: How many apps do you have? Organizations might think they only have 100-200, but so far the record is an eye-popping 11,000 apps, and 108 admins in Microsoft. (We all became living embodiments of the “head exploding” emoji at that revelation, too.) 

‍

In order to secure what you have, you have to first figure out…what you have. And don’t worry, when everyone gets the answer wrong, getting it wrong isn't embarrassing. Everyone starts somewhere, and getting a full picture of your environment is the best somewhere possible. 

‍

Prioritization is Key

After you have a full understanding of what you need to secure – and have maybe stopped hyperventilating at the number of apps you didn’t realize you had in your environment – the next step all comes down to an even bigger question: what now? 

‍

This is where you need to evaluate what will provide the most value with the least amount of effort. Or, as Ofer put it: 

‍

“Now prioritize: what is important and what is not important. For example, more than 50% of the apps…are unused. Someone installed an app for marketing 10 months ago, it’s no longer useful, get rid of it…Then you go for the risky apps. We have a methodology that allows you in a very easy way to understand where the biggest impact is located, and what to do.” 

‍

The easiest first decisions are to eliminate what isn’t necessary by getting rid of unused apps in your environment that are left dormant and connected. Removing these risks is an easy win with immense value for any organization’s security posture. 

‍

Next, you can start to look at access in the “core” apps for businesses (ex: Salesforce, Zoom, etc.). How much access does a user have? Does an account have access to the entire company? That warrants a lot of attention. How much access do these users actually need to complete their job functions? Educating your users on how to embrace less user privilege can go a long way here for employee buy in, too. 

‍

By approaching SaaS security with this methodology, organizations of any size can make outsize impacts on their security postures very easily. 

‍

Security Teams Can’t Be the “Department of No” 

One of the games played during this webcast that elicited the most laughs was “The Department of Yes,” where Ofer and Richard were forced to justify objectively terrible security ideas such as watching Die Hard and deleting 10 apps every time Bruce Willis uses a walkie-talkie. Of course, this entire game stems from the reality that security departments are often seen as a “department of no,” constantly frustrating employees by telling them they can’t use one thing or another because of security. 

‍

This reputation as a “department of no” must go, argued Ofer and Richard. Security teams need to first understand that these apps are almost always downloaded as a way to stay competitive for the business’ needs. Generative AI programs, marketing apps, etc. are all installed because they can boost efficiencies in business processes, and security teams have to be nimble enough to leverage them in a secure way instead of denying access to them outright. 

‍

Much of this comes from working with employees to vet these apps, allowing both sides to work in good faith. Some important items and questions to help this vetting process are: 

• App permissions. What kinds of permissions and access does it need? Does it take data, read data, change permissions? Does it need access to customer data? These are all important questions that many employees might not even realize are possible scenarios. 
• The vendor itself. Is this a trustworthy vendor or a random app to download from an unknown software publisher that could be laden with malware? More and more vendors are now also providing more information on their own security protocols with trust pages and more open communication. 
• Access. Who needs to use the app within the organization? This is an especially important question to ask in the case of any SaaS app that handles customer data. 

‍

Learn to Embrace Continuous Compliance

Another big topic was the idea of “configuration drift,” where an app and its settings were configured, and then left untouched. Unfortunately during this time, configurations and settings can “drift” from those optimal settings, opening up security holes in your environment. 

‍

Often big security posture checks are performed by organizations for compliance reasons and then shuffled to the bottom of ever-expanding to-do lists for the security teams. Ofer and Richard made the case that organizations instead need to embrace the idea of “continuous compliance” by leveraging tools that can constantly scan through these configurations all the time and then triage alerts if configuration drifts begin. By doing this, you will not only strengthen your security posture, but your annual security audits are made immensely easier, too. 

‍

Some Big Things Are on the Horizon

If a bunch of security experts start talking in a room and aren’t asked about the future of security, did they even talk? When Ofer and Richard were asked about some emerging trends in SaaS security, there were two big ones. (To probably nobody’s surprise, one involves an acronym that begins with the letter “A” and ends with “I.”) 

‍

First: the idea of data retention and ownership is bubbling to the surface more and more as SaaS apps become more ingrained and necessary in the day-to-day functions of businesses. However, Ofer and Richard said that understanding who ultimately owns what data – and then what are the plans for getting that data out, if necessary – are going to become more commonplace. This demand for transparency will continue to grow. 

‍

Second: understanding how AI can help security, instead of posing a risk to it. As we’ve seen, our environments are too complex to even understand, let alone manage. However, utilizing security tools that have securely built AI in from the ground up can make these complex nests of SaaS apps manageable without opening you up to more risk from the AI itself. 

‍

Conclusion

These were just a few of the incredible insights Ofer and Richard provided over the course of the podcast. We do hope you’ll take a listen and let us know what you think. And, of course, if you need help with any of these steps in your own SaaS security journey, Reco can help.