SaaS apps under business unit control

A typical company uses a variety of SaaS apps, from cloud data platforms, file sharing apps, and collaboration apps to CRM apps, project management, work management, marketing automation, and more (see Figure 1). Individual SaaS apps are required to fulfill specific niche roles required by businesses. Without SaaS apps like these, you could fall behind your competitors and take longer to hit your KPIs.

Figure 1: Types of apps used (2022 SaaS Security Survey Report)

According to the 2022 SaaS Security Survey Report, 40% of SaaS apps are managed and owned by non-security teams such as sales, marketing, and legal departments (see Figure 2). According to the report, management of SaaS apps is primarily left to security and IT teams, but complicating the threat landscape is that 40% of management is done by business units that have full access rights.

Security teams can't take that ownership away. This is because business application owners need to maintain a high level of access to related SaaS apps to optimize the apps for ease of use. However, it is unreasonable for security teams to expect business app owners to ensure a high level of SaaS security without deep knowledge of security or vested interests (security KPIs that affect departmental work outcomes).

Unraveling the SaaS app ownership paradox

When asked about the main causes of security incidents caused by misconfiguration (Figure 3), survey report respondents cited the following as the top four causes:

• Too many departments have access to security settings
• Changes to security settings are not visible
• Lack of knowledge about SaaS security
• Abuse of user privileges

All of these reasons lie directly or indirectly in the SaaS app ownership paradox.

Figure 3: Top causes of security incidents (2022 SaaS Security Survey Report)

A major cause of security incidents caused by misconfigurations is that too many departments have access to security settings. This is closely related to the second most common cause: lack of visibility into security changes. The business unit may change app settings to optimize the app's usability without consulting or notifying the security department.

Additionally, business unit owners who do not pay sufficient attention to security can easily cause misuse of user privileges. Users are often granted privileged permissions that they don't need.

How security teams can take back control

The only efficient way to bridge the communication gap in this shared responsibility model is with SaaS Security Posture Management (SSPM). When an organization's security team owns, manages, and utilizes an SSPM solution, it ensures that the security team has complete visibility into all of the company's SaaS apps and their security settings, including user rights and permissions. I can.

Businesses can go a step further and add app owners to the SSPM platform so they can proactively view and manage all settings for their apps. Scoped administrators (Figure 4) allow security teams to grant app owners access to their apps. This allows security teams to remediate security issues with the app owner's permission.

Figure 4: Adaptive Shield SSPM platform scoped administrator functionality

There is no way to prevent a business unit from accessing the security settings of a SaaS app. Educating users across the organization on the basics of SaaS security should reduce the risks that business units can pose, but this isn't always possible, and even when it is, it's not enough. To avoid situations like this, use a solution that gives security teams visibility and control through alerts on configuration changes, audit logs that collect and visualize actions within SaaS apps, scoped administrators, and more. need to be introduced.