Forbes Tech Council: The Importance Of SaaS Security Posture Management

This article was originally posted on Forbes as part of their Forbes Technology Council series.

‍

It’s no secret that businesses love software as a service (SaaS). Why shouldn’t they? It’s the easiest way to provision applications and get productive right away.

‍

But that infatuation has its hazards. Ease of adoption has resulted in sprawl: According to Okta’s 2023 “Business at Work” report, companies with greater than 2,000 employees have an average of 211 SaaS applications. Given the self-service nature of SaaS, many are set up by individuals rather than IT.

‍

All users of so many SaaS applications can’t be expected to police their own security and compliance by themselves. That’s where SaaS security posture management (SSPM) comes in. Whereas “security posture” normally refers to the security status of an entire enterprise, SSPM narrows the scope to address the unique configuration, access control and compliance issues of SaaS.

‍

New regulatory initiatives—like the latest SEC rule that enforces the timely public disclosure of data breaches—have made the adoption of SSPM increasingly urgent, particularly for public companies.

‍

How Bad SaaS Exposure Can Get

Consider the ransomware attack and data breach suffered by MGM Resort International in September 2023, resulting in the loss of an estimated $100 million.

‍

The ransomware group ALPHV targeted individuals it guessed would have elevated privilege in Okta, MGM’s SaaS identity and access management system of choice. Using social engineering over the phone, attackers were able to reset multifactor authentication and compromise Okta, giving themselves super-admin privileges and, essentially, free reign.

‍

ALPHV boasted about what happened next on its own leak site: Upon detecting the attack, MGM "made the hasty decision to shut down each and every one of their Okta Sync servers," disabling Okta identity management entirely. The upshot included both the theft of sensitive data and a ransomware lockup of 100 VMware servers. Guest check-ins, hotel room keys, slot machines and more went offline.

‍

An SSPM solution could help prevent this type of situation. For example, it could have detected and flagged the MFA resets or assisted in remediating the Okta compromise. Financial losses may be covered by cyber insurance—but damage to a company's reputation cannot be so easily remedied.

‍

Riding Herd On SaaS

A large share of SSPM’s value is in its tight focus. It dives deep into the security and compliance issues around SaaS alone—not cloud access or underlying cloud infrastructure security. Those are covered by, respectively, two other four-letter acronyms: CASB (cloud access security broker) and CSPM (cloud security posture management).

‍

With SSPM, it all starts with onboarding SaaS. Big SaaS applications, such as Salesforce or Workday, for example, typically integrate with a host of different enterprise systems already in place. An SSPM solution makes that integration easy while automatically propagating the customer’s existing access control policies, rights and permissions, regulatory restrictions and risk management parameters.

‍

Think of these tasks as shutting a door that was left inadvertently ajar—with minimal human intervention. In large companies, SSPM’s ability to harden SaaS applications automatically can save many hours of manual labor, particularly when it comes to compliance adherence. Over time, when users or admins accidentally change settings for the worse, SSPM solutions can remediate that configuration “drift” and ensure compliance and security levels do not falter.

‍

These controls and indicators are centralized in a dashboard that enables admins to assess risk and enforce policy at scale. To deliver these benefits, an SSPM provider must closely track shifting configuration options across many popular SaaS applications, not to mention regulatory changes, and adjust their offerings promptly.

‍

The best SSPM solutions put identity first, whether that’s a person, an application or a service account. Putting identity first gives customers a consolidated view of what they have, how it’s configured and who has access, offering the context necessary to determine what’s important and what’s not. No organization can fix everything. Identity provides a lens through which admins can see how to create a priority list of SaaS security and compliance actions.

‍

Spotting Mischief In The SaaS Ecosystem

However, no matter how well configured, no SaaS implementation is bulletproof. Attacks happen—and SSPM’s singular focus on SaaS applications, their configuration options and their potential vulnerabilities can enable rapid detection and response. Combine that deep understanding with the maintenance of a customer’s user identities, rights and permissions, and bad actors can usually be stopped before they wreak havoc.

‍

Imagine a Salesforce contractor works for a company for six months and, after that term is done, keeps his credentials because he is likely to work for the company again. Then he gets a job with a competitor. Months later, the contractor logs back into the company’s Salesforce instance and tries to access sensitive data. The SSPM solution’s detection of the login, combined with a record showing the contractor hasn’t interacted with the company for months, immediately shuts him down.

‍

Such a response is unlikely without an AI engine as part of the SSPM solution. Some SSPM systems contain machine learning modules that not only learn the behavior of SaaS applications but also the behavior of people—enabling, for example, the detection of former employees who may possess others’ logins. That’s a salient example because an estimated 72% of people in the U.S. who leave a company take some sort of data with them. Overall, SSPM powered by AI is vital to prevent staff from being overwhelmed with monitoring, configuring and responding to threats.

‍

‍

Building A Moat Around SaaS

As a security and compliance solution, SSPM does not exist in isolation. Along with complementing CASB and CSPM, SSPM should be integrated with existing customer identity and access management systems.

‍

Nonetheless, SSPM is proving itself essential not only in controlling SaaS configuration, access management and compliance adherence but also in fending off attacks and—perhaps most important of all—lightening the growing burden borne by security and administrative personnel. The more automation baked in and preferably powered by AI, the greater the chance of keeping your own SaaS ecosystem humming without running afoul of regulators and bad actors.

‍