Software as a Service (SaaS) continues to grow at a rapid pace as businesses look to take advantage of the flexibility and economy offered by the cloud. According to Gartner’s forecast of Worldwide Public Cloud Revenue, spending on cloud application services is projected to increase to more than $151 billion by 2022.
However when looking at protecting business critical operations, SaaS applications are often overlooked. A recent white paper from AppOmni, Treating SaaS as the Critical Infrastructure It Is, highlighted this issue and a number of reasons that SaaS is sometimes neglected when it comes to security:
When SaaS applications first become popular they had often been acquired by individual business units rather than centrally by IT – known as Shadow IT. Simplified licensing and ease of provisioning made purchasing easy. Applications can often be bought and deployed without central authorization. This enabled businesses to rapidly deploy tools supporting productivity and customize them to meet specific needs. This has made them incredibly popular.
Dynamic business environments can change on a daily basis – personnel and their roles can frequently change and this may require new privileges. The easiest way for administrators to do their jobs quickly and efficiently is to allow broad privileges in accessing and changing settings. However, broad access compromises security.
Lack of control
Whilst these systems have security built-in they are at the mercy of misconfigurations and lax controls by non-IT administrators. Not being under the control of IT often also means that no checks or monitoring are in place.
The result is that locally, manually managed applications are less likely to be kept up to date and could potentially drift out of security compliance over time. This could leave data exposed to both internal and external threats.
Part of the furniture
Because SaaS applications are so ubiquitous and common place very little thought is given to them, from both users and administrators. This allows the threats already talked about to fly under the radar of your security specialists.
This is complicated by the fact that many organizations are only just beginning to how business critical the security of these applications is and the need to fully manage them.
A critical eye
SaaS must be treated as a critical application and should receive the same security considerations as the endpoints, servers and network elements. Tim Bach, VP of Engineering at AppOmni adds:
“We have not, as an industry, given the same level of due diligence to SaaS as we do to IaaS, bare metal, and other elements of the IT infrastructure stack.”
This leaves organizations vulnerable to leaks and breaches. Most organizations would not consider deploying servers or endpoints without products that provide monitoring and automated management across product and platform types. Best practices for managing and securing servers, endpoints, operating systems and networking elements are well established. We need to see the same for SaaS applications.
Not an easy task
The typical enterprise is using an average of 15 clouds with resources continually spinning up and spooling down on demand, so it is not a simple task to ensure that proper security procedures are being followed.
“The scale and dynamism of cloud computing complicate visibility and control over all workloads, storage and processes performed in hybrid and public cloud computing environments,” Gartner says in a recent cloud security report.