Take a moment to think about the software your company uses daily. I’d be willing to bet on the fact that it is deployed as a service following the SaaS model. This convenient technology architecture has become part and parcel of our daily lives both within the office and outside of it. Dropbox, Slack, and even Netflix are all delivered this way. This is why SaaS security has become more important than ever.
In the following lines, I will present the notion of SaaS and the concepts correlated to it, then move onto the real talk where we’ll discuss everything you need to know about SaaS security. As always, make sure to read until the end for some actionable advice on how to enhance your enterprise’s SaaS security like a pro.
SaaS – Definition and Key Concepts
SaaS Definition
Before diving into the specifics of SaaS security, let’s first explore the meaning of the phrase itself. The acronym SaaS stands for software as a service and implies a subscription-based and centrally-hosted model of software licensing and deployment. For this reason, it is also referred to as rentware, subscribeware, or on-demand software.
Software as a service is part and parcel of the terminology of cloud computing. It is an umbrella term that contains other related expressions of the same nomenclature, namely infrastructure as a service (IaaS) and platform as a service (PaaS). Other phrases in the field of cloud computing include managed software as a service (MSaaS), data center as a service (DCaaS), information technology management as a service (ITMaaS), and mobile backend as a service (MBaaS).
Image Source: Microsoft Azure
SaaS Applications
As it can be observed in the diagram above, SaaS applications are a key concept of the term. Also known as hosted software or web-based software, they are usually accessed via a thin client, such as a web browser. However, it is not uncommon for SaaS to be delivered through installed client software as well. In fact, most apps nowadays offer both options instead of going for the either-or approach.
Heimdal Security’s own suite of cybersecurity solutions is a prime example of this works. Our products are installed through a local agent under a unified dashboard where you can check the status of your endpoints, filter requests, and so on. Network admins can also log into the dashboard via browser to facilitate mobile accessibility.
The only exception to this rule is Forseti, our perimeter-level Intrusion Prevention System. Forseti is specially designed not to require a local agent and protect against threats coming from external devices. This includes both personal devices brought into the office as part of your company’s BYOD policy, as well as malicious actors bringing their devices in range of your network.
Increasingly, hackers target organizations at network or DNS traffic level.
FORSETI
FORSETI IS THE ADVANCED INTRUSION PREVENTION SYSTEM THAT ALLOWS
YOU TO PREVENT, DETECT AND RESPOND TO NETWORK-BASED THREATS
- Full DNS protection and full network logging.
- Uses Machine Learning on device to infrastructure communication for a strong HIPS/HIDS and
IOA/IOC add-on to your network. - An easy way to add network threat prevention, detection and blocking.
SaaS Architecture
Most SaaS solutions are developed on the multitenant architecture model, which consists of the same version of an application being deployed to all clients. As per the Gartner Glossary,
Multitenancy is a reference to the mode of operation of software where multiple independent instances of one or multiple applications operate in a shared environment. The instances (tenants) are logically isolated, but physically integrated. The degree of logical isolation must be complete, but the degree of physical integration will vary. The more physical integration, the harder it is to preserve the logical isolation.
The software as a service architecture you choose for your company is also influenced by your industry. According to software researcher Clement Vouillon, there are two main submodules when considering this principle:
- Vertical SaaS, which answers the needs of a specific industry. Examples include software for the fields of real estate, finance, healthcare, etc.
- Horizontal SaaS, which focuses on a specific software category regardless of industry. Examples include software for sales, human resources, marketing, etc.
What is SaaS Security?
Flexera’s 2019 State of the Cloud Report revealed that 94% of organizations use the cloud, with 84% going as far as having a multi-cloud strategy. On average, an enterprise leverages the services of roughly 5 clouds, where they run the majority of their workload.
While popular, cloud computing is not without its cyber-threats. Misconfiguration, compliance violation, contractual breaches, and insecure APIs are just some of the dangers that await you out there. My colleague Elena already published a great article on the topic of cloud computing threats for the Heimdal Security blog, so make sure to check that out.
But what makes your software as a service infrastructure the perfect target for malicious actors? Well, SaaS applications often store a multitude of sensitive data fragments such as personally identifiable information, banking details, medical records, and more.
This is why SaaS security should be a priority for your company. Still, what is SaaS security specifically? Simply put, the term refers to a set of practices put into place by an organization to protect its assets that are involved in the software as a service architecture.
As per the SaaS security guidelines published by the United Kingdom’s National Cyber Security Centre (NCSC), SaaS security is a shared responsibility between the service provider (a.k.a. the software distributor) and the service consumer (a.k.a. the company using the software). To help you uphold your part of this obligation, I will go over the essential security considerations for your SaaS applications in the next section.
How to Secure SaaS Applications
#1 Train Your Employees on SaaS Security
Chances are your company is already using one, if not multiple software as a service platforms. Heimdal Security’s very own suite of products is delivered according to the SaaS model. But do your employees know how this specific architecture works?
SaaS security best practices should be a main topic in the cybersecurity education you (hopefully) offer to staff. Here are some of the essentials you need to cover as part of the training:
- definition and key concepts,
- architecture models,
- cloud computing,
- information safety in the cloud,
- and proper account management.
Raising awareness of the dangers that might be lurking in the cloud will help you prevent aggravated cybersecurity incidents within the company. With human error remaining a driving factor behind breaches, I cannot stress the importance of training your employees enough.
#2 Educate Your Customers on the Topic as Well
Does your organization work with customers, contractors, or any other type of third-party collaborator? They should be educated on your use of SaaS applications as well. While they might not have the same level of access your employees have, they need to know how to react in case of a SaaS security rift.
One example of a widespread cybersecurity threat targeting the clients of organizations rather than the organizations themselves is account takeover fraud (ATO). And according to Betty Bracken for ThreatPost, ATOs rose by over 300% sincer to 2019.
When cybercriminals impersonate your clients or contractors, this negatively impacts both them and your company as a result. Thus, teaching the third parties you collaborate with regularly how to enforce proper SaaS security is vital.
#3 Integrate Real-Time Vulnerability Monitoring
When most of your company’s workflow runs through the cloud and is controlled by multiple users, identifying malicious requests retroactively becomes near impossible. Therefore, scanning for vulnerabilities in real-time is essential and can save you, your employees, and your clients from a world of cyber- hurt in the long run.
This is something our Thor Vigilance Enterprise next-generation antivirus can help you with. Its real-time cloud scanning feature ensures that all unidentified files are sent to our database for a closer look. I recommend running this in active mode to ensure an ongoing and automated process. Nonetheless, if you are worried about resource drainage, you can also schedule your scans or perform them whenever you see fit.
#4 Ensure Your Software is Regularly Patched
Regularly updating software is a significant priority among the NCSC’s general SaaS security recommendations. Unpatched applications unfortunately continue to be a huge cybersecurity liability for your company. In 2019, 60% of security breaches were caused by unpatched vulnerabilities.
With this in mind, why don’t more employees update their work devices? The reason behind it is simple: the process is disruptive. To solve this issue, we’ve integrated the X-Ploit Resilience module in our core offering of Thor Foresight Enterprise. XPR automatically deploys relevant patches within hours of their release, ensuring that all vulnerabilities in your network are closed.
To benefit from both real-time vulnerability monitoring and regular software updates, my recommendation is Thor Premium Enterprise. A complete suite of cybersecurity solutions, TPE is your one-stop-shop for full endpoint detection and response.
Simple Antivirus protection is no longer enough.
Thor Premium Enterprise
is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
- Next-gen Antivirus which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
#5 Grant Users the Correct Level of Access
Another key recommendation from the NCSC is to centrally manage SaaS resources and grant users the correct (and minimum) level of access required for them to perform their duties. This is known as the principle of least privilege and is a cybersecurity essential.
But what happens when a member of staff has to complete a task that requires a higher level of access than they have? Naturally, they will either send a rights escalation requests to the admin or request that the admin help directly. Naturally, processing such requests on the daily can become quite time consuming for your network administrator, which is where Thor AdminPrivilege™ comes in.
Thor AdminPrivilege™ is a PAM solution that minimizes the risk of insider threats or account takeovers by providing your business with streamlined access governance. Your network admin can automate a variety of escalation requests through it, as well as approve or decline them on the go.
System admins waste 30% of their time manually managing user rights or installations.
Thor AdminPrivilege™
is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
What is more, Thor AdminPrivilege™ is the only PAM solution on the market to deliver automatic de-escalation when a threat is detected when used in tandem with any other existing security software. This remains true whether you are using Heimdal Security products or any other of our competitors.
When Cybersecurity is Delivered as SaaS
Software as a service is a popular format for most tech companies, and the cybersecurity industry is no exception. Many big names in the field adopted this architecture, and Heimdal Security is no different. At this point, you might be wondering: how can we secure your SaaS applications when our products themselves are SaaS applications?
The answer here is simple and far less of a catch-22 than it might seem at first. Let’s circle back to what the NCSC stipulated in terms of SaaS security being a shared responsibility. This obligation is shared between you, the service consumer, and us, the service providers. As a cybersecurity company with years of expertise in the field, we are not only upholding our end of the bargain but helping you do so as well. Yes, it’s that simple.
Wrapping Up…
Most software nowadays is delivered as a service. Office staples such as Dropbox, Slack, ZenDesk, or Hubspot all follow this model, as do household names such as Netflix or Spotify. Our very own Heimdal Security suite of products is SaaS.
And when everything is SaaS and SaaS is everything, SaaS security becomes all the more important. This is a responsibility we take very seriously, and you should as well.
