Quick: As a security or IT pro, what’s the first thing that pops into your head when you hear the phrase “asset management?” Chances are you thought about endpoint security and the vulnerable points of your cloud infrastructure.
But what about your SaaS applications? Do you think of them and the corporate data residing in these applications as assets that need to be protected? You should. There are too many ways in which a SaaS app can provide a conduit for unwanted parties to access your corporate data and potentially cause as much harm as if you had left an endpoint unmonitored and unprotected.
Here’s another overwhelming thought: As necessary as it is to get a holistic view of your SaaS application vulnerabilities, managing assets within the SaaS applications themselves is an impossibly tedious, manual process. Fortunately, we’ve taken on the heavy lifting of automating this process, quickly giving you the full visibility you need to take charge of your SaaS asset management.
How exposed are you?
For most IT and security administration people, they have only the vaguest idea at best of how many people have access to their company’s data through SaaS applications. They may think in terms of a few hundred, but our work with clients shows this is usually a drastic underestimate. You may well have thousands, or even tens of thousands, of people external to the company with access to your data.
How is this possible? When you compile a list of all the SaaS applications a typical mid-to-large-sized company depends on -- CRMs, collaboration and creativity platforms, development applications, HR tools, back office solutions, and more -- the number can skyrocket quickly. Then, when you think about the different ways that colleagues, contractors, customers, prospects and partners can come into contact with assets stored in these SaaS applications, the scope of SaaS asset management facing security and IT teams simply explodes.
At DoControl, we help companies monitor and manage seven crucial data access vulnerabilities that lurk in their SaaS subscriptions:
Each of these unique data access vulnerabilities represents a potential path for bad actors to ferret their way to data you don’t want them to have. Further, in addition to the data access your employees have extended to others via sharing links they created, there’s an entire other layer of risk stemming from indirect access by third-party OAuth applications. In any of these scenarios, the data access may have been given intentionally or unintentionally, recently or long ago. Much of this persistent access may be long forgotten and remain unchecked.
Let’s create a baseline of knowledge
As with all endeavors, to solve a problem you must first fully understand it. In the case of SaaS security, that means creating an inventory of all the relevant sources of data leakage. Specifically, you need to compile an exhaustive inventory of the following:
As you can tell from a glance, this list represents an impossible amount of work to undertake manually. But the DoControl platform automates the process and pulls all that data into a central location to give you full visibility across your company’s portfolio of SaaS applications. And it does it fast! With DoControl’s SaaS Asset Management, IT and security teams can aggregate the intelligence they need to monitor SaaS data access, identify anomalies in data movement, and remediate risky situations before they become verified security incidents.
Just the beginning of the process
Complete and centralized visibility is the only way you can know what you need to protect. But this asset inventory is only the first step. You need continuous monitoring of user activities within these SaaS applications to take informed action to prevent data access where it shouldn’t be granted, cut off data access where it’s no longer warranted, and stop data exfiltration wherever it’s happening. Such remediation capabilities are critical, and as with DoControl’s SaaS Asset Management, DoControl’s security workflows are supercharged with intelligent automation to make remediation at scale feasible.
We’ll look more closely at Continuous Monitoring and Automated Security Workflows in upcoming blog posts. For now, rest assured that DoControl has been engineered to address these phases of SaaS application security as well. In the meantime, explore our website to learn more about DoControl and get in touch with us to see how we can help your organization.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
Just as is with the cloud, securing SaaS is a shared responsibility. Providers are responsible for ensuring the security of their platforms, but there is an onus on the organization consuming the service to protect themselves from data overexposure and exfiltration, as well as cyber breaches and attacks.
In this blog we are going to focus on three of the most widely adopted SaaS applications, based on revenue and growth, as well as just general popularity. We will highlight the pitfalls and security gaps (note: these apps are not inherently insecure!), and how DoControl can help deliver a single, unified strategy to SaaS application security and reduce the risk of both data exfiltration and cyberattacks.