Exponential growth of SaaS deployment exposes hidden vulnerabilities
Amid exponential growth the SaaS ecosystem has matured rapidly, primarily out of necessity. The first buyers of SaaS software were naturally worried about committing to such a transformative change, which shifted the focus of control away from the enterprise.
SaaS vendors and cloud data centers were forced early in the game to address security vulnerabilities and potential threats to overcome this fear. As a result, cloud data centers today tend to be infinitely more secure than on-premise data centers. Because they have responded to market demands, those cloud data centers tend to have high levels of physical security that are often not present in on-premise centers and state-of-the-art equipment.
It's also no secret that the best cybersecurity talent goes to the cloud data center operators, organizations which are simply able to afford the best in the business. Smaller organizations are, as a result, able to take advantage of high-end security and talent which they would not have access to were they to try to manage their own data centers on-premise. The SaaS applications which live in the cloud naturally benefit from that data center security.
However, vulnerabilities remain. Any buyer of SaaS software needs to understand not only the benefits of their SaaS subscription use, but the potential liabilities – and more than anything, they need to understand what goes on "under the hood." This can be difficult, given that one of the key benefits of SaaS is that it abstracts what's under the hood in order to make not only usage, but procurement, deployment and management, simple enough for non-IT personnel to run.
What’s more, the biggest benefit of SaaS – extreme usability – can also be its biggest downfall. The ease with which it is deployed may often lull users into a false sense of security, and the fact that there is often little oversight from IT means that good in-house security protocols that everyone should follow, are often left behind.
What SaaS users need to worry about
Vendors of SaaS tend to take the Bobby McFerrin approach ("don't worry be happy") to SaaS deployment, focusing on their core message of ease of use, and buyers are responding to it. It pays, though, to worry at least a little bit.
Specifically, before selecting a SaaS product for use in your business, you’d do well to consider:
- How is your data stored? Everybody wants to know "where," but that is less relevant than "how." Data stored in an at-rest state, typically held in a database or cloud object, should always be encrypted with rigorous access controls at the data center site, regardless of where that site is physically. Fortunately, most SaaS vendors have strong protections in place, but buyers should review the vendor's access control protocols before opting in.
- What happens if your SaaS vendor goes out of business? Startups, and even larger incumbent vendors, do sometimes go out of business, especially in fast-moving industries like SaaS. Finding a vendor with a good reputation is important, but it's still useful to guard against the worst happening, and review your contract to ensure that a provision is in place to guarantee that your data is portable in case of a shutdown of service or if the provider goes out of business.
- Can your SaaS app integrate with a centralized SaaS management platform? Avoiding "shadow IT," redundant apps and duplication of effort can be accomplished with a centralized SaaS management platform, and it’s also a good idea to assign "point people," to be responsible for some level of oversight of various SaaS apps throughout the company.
Achieving a balance of autonomy and oversight
The greatest value of a SaaS ecosystem will be realized when the company achieves the best balance of end-user autonomy and centralized oversight.
In a case study from SaaS management platform Torii, a rapidly growing project management platform called Monday.com wanted to give workers the freedom they needed to control their own workspaces, but they faced two challenges: Staying in control of expenses, security and compliance, and promoting accountability while in a largely decentralized environment.
Through deployment of the SaaS management platform, the company was able to achieve greater visibility of the entire SaaS ecosystem, compliance with GDPR, and greater employee engagement. That visibility was able to allow the company to eliminate duplication of tools that served the same purpose, by checking the centralized database of SaaS tools before buying, to ensure against unnecessary repeat buying.
Public domain security evaluation frameworks can also be used to reinforce the buying decision and gain an additional level of comfort. SaaS vendors which have achieved FedRAMP status have passed a very high bar for this government standard, and their software and infrastructure has been evaluated against the NIST 800-53 assessment checklist and audited by a trusted third party.
Similarly, a best-practices checklist is available from the Enterprise Ready Framework, which allows SaaS vendors to self-audit and report status on a variety of critical areas, including access control, audit logs, and GDPR readiness.
Shared responsibility and controlling your own destiny
Deriving the greatest value from a SaaS ecosystem requires a shared responsibility model, which balances the need for autonomy with the need for control. This shared responsibility model has two phases.
First, there is an implicit understanding that shared responsibility exists between the SaaS vendor and the business consumer, with the highest level of security being achieved when the business consumer understands their own responsibility (for example, implementing password protocols, achieving company-wide visibility of all SaaS apps, and preventing unauthorized use).
Within the customer environment, there is another phase to shared responsibility, and that is the often-contentious division that exists between IT and end users. Striking an internal balance here requires IT to take responsibility for centralized oversight, audits and management of the entire ecosystem, while departmental managers and end-users enjoy their autonomy while still adhering to best practices in security, avoiding "silo" operations and maintaining open communications with the SaaS management officer.
The SaaS ecosystem is capable of achieving a much higher maturity level on the part of all stakeholders, from vendor, to the IT department to the departmental end-user, while still providing those end-users the autonomy, simplicity and ease of use that are the key benefits of SaaS.