Visibility

SaaS security has its own paradoxes. The current situation is that in most cases, administrators who should be responsible for managing the security settings of SaaS apps do not belong to the security department, even though they have important privileges. Business units own SaaS apps because they allow them to get work done more efficiently. However, these owners and managers do not have specialized security training or take security measures seriously. They are simply working to improve the department's KPIs.

For example, Hubspot is typically owned by a marketing department, and Salesforce is typically owned by a business or sales department. However, securing the many SaaS apps a company owns is the responsibility of security teams, and a prerequisite for doing so effectively is complete control and visibility of SaaS apps. Security teams must proactively contact millions of app owners to verify configurations and resolve incidents, often without even knowing the security protocols in use.

Volume

By the numbers, companies have hundreds to thousands of SaaS apps. Individual apps have many global settings, such as which files can be shared, whether MFA (multi-factor authentication) is required, and whether recording is allowed for video meetings. This number is multiplied by the number of employees, which can be in the thousands or tens of thousands (or even hundreds of thousands), and the number of setting items to be managed will be the same.

Security teams need to be familiar with the specific rules and settings of individual apps and ensure they comply with company policies. With hundreds of app configurations and tens of thousands of user roles and permissions, the workload can quickly reach unsustainable levels. It goes without saying that this difficulty is compounded by SaaS-integrated apps that are added to enterprise ecosystems every day without security teams knowing.

Velocity

The SaaS app landscape is dynamic and continually evolving. As employees are added and removed and new apps are introduced, permissions and settings are constantly being set, reset, and changed. On top of that, there are ongoing compliance updates and checks to address external standards and best practices (NIST, SOC2, MITER, etc.). Security teams must continually ensure that all configurations are configured correctly across the company, without exception. Considering the large number of apps and settings mentioned in the "V" in Volume, that work equates to hundreds of hours of continuous work and effort. This is not very sustainable.

How to achieve SaaS security management

There are no signs that businesses will slow down in their adoption of SaaS apps. This means that for the foreseeable future, each new app integration will require new settings to be secured. To take back control, businesses need solutions that can address all of the challenges posed by these three Vs: Volume, Velocity, and (lack of) Visibility.

Enterprises can reduce the burden of managing misconfigurations by implementing automated solutions such as SSPM that:

• Monitoring and alerting features:
  Perform checks by app, user, severity, or other criteria related to SaaS misconfigurations and receive alerts when configuration changes occur.
• Automation and remediation features:
  We will clearly show you the correct way to fix SaaS configuration defects one by one.
• User inventory:
  Enable user management and research across all SaaS apps. Investigations range from user access to specific apps, to privileged roles and permissions, to failed security checks around privileged users.
• Compliance mapping:
  Compare SaaS security checks against leading industry standards such as NIST, SOC2, and ISO to ensure compliance with those standards or create your own custom corporate policies.

Misconfiguration management is one of the key areas for security teams to secure, but it's not the only area to protect for the many SaaS businesses own. Access and discovery of SaaS-linked apps and user management from devices to SaaS are also important areas. With the right SSPM solution, security teams can not only control misconfigurations, but also define these use cases to ensure SaaS security across the organization.