According to a recent survey, 71 percent of respondents admitted to using software-as-a-service (SaaS) apps that were not blessed by IT. This problem, commonly referred to as “shadow IT,” makes it impossible for security officers to accurately understand and manage the risk associated with the SaaS applications in use in their organization. While CISOs are often tasked with managing risks caused by factors beyond their control, bringing SaaS apps under the purview of IT is one thing they can control – and quite effectively – by following a five-step process.
Identify your stakeholders: In order to properly identify all SaaS stakeholders, you will need to know whom your application buyers, managers and administrators are, and secure their buy-in. Buyers of SaaS services come from IT and non-IT departments, and involve leaders from human resources, marketing, sales, and finance. These folks can help direct you to managers, whom have visibility into the SaaS applications being used in their department, because their teams are the ones that typically sign up for those apps in the first place. Administrators can include the help desk admin who manages user access, or the technical admin who configures and integrates the app.
Interview stakeholders: Different stakeholders will be able to answer various types of questions. Starting with managers is a great first step, as they can help you identify other stakeholders such as buyers. While each stakeholder is equally important, admins will likely be key contributors to determining the security/risk posture of any given SaaS app because they will have knowledge concerning the types of data and functionality the app provides. Additionally, they also have insight on the types of users that are granted access to that app.
Inspect firewall logs: This step requires the use of technology that can inspect your proxy and firewall logs and compare them against a database of SaaS applications. This should be able to give you an analysis of your SaaS risk exposure based on what is actually happening as opposed to what stakeholders think is going on. If you don't have this technology in house and don't have the time or knowledge to appropriately review firewall logs, there are plenty of firewall log analysis tools that can be easily found via Google. Most vendors offer one-off audit licensing, or in most cases, you can download a free 30 day evaluation, which would give you a month's worth of access to get the information required to continue with your inventory.
Gather and analyze the data: Once you've gathered all the requisite data (from both the interviews and the firewall logs), it's time to start analyzing the data, in the form of a risk analysis. The goal of the analysis is to provide a risk score for each application.
The risk score should be a composite of two things: the inherent SaaS risk (the risk associated with the SaaS apps own internal security mechanisms) and SaaS usage risk (the risk associated with how your organization is utilizing the SaaS app). There are plenty of resources, such as this SaaS Security Checklist, that can guide you through the process. After this analysis, you'll have your arms around which SaaS apps are in use in your organization along with a priority order of which ones are using the most sensitive data.
Create a remediation strategy: The last step is to establish a strategy to apply controls over how and why users are granted access to these apps and how that access is governed and managed (for example, ensuring that when a user leaves your organization, their accounts in these various SaaS apps are terminated). If you already have an identity management (IDM) program in place, this is your opportunity to attach these newly discovered SaaS apps into that program. If you don't an IDM program in place, this is your opportunity to begin to put one in place.
The threats posed by SaaS are largely the same as with enterprise applications since they run on the same platforms and code. However, organizations need to have a strategy in place for managing IT risk when a third party is responsible for managing the defenses. Once CISOs have a sense of how many third parties and what sorts of risks they are dealing with, they can start identifying technologies that can remediate those risks (some of which the organization might already own) so that all SaaS apps adhere to established compliance and security standards.