Will Your SSPM (SaaS Security Posture Management) Protect You From Bad Actors?

Any martial artist knows that the first step to effective defense is the right stance. The way your body is positioned, even before you make a move, is the foundation of the martial artist’s physical security. 

Your digital security is no different. It’s not the number of security tools and solutions, but the overall positioning of your SaaS environment that provides the base for its balance, leverage and power. SSPM (SaaS security posture management) is the technology that gets your SaaS ecosystem’s stance into one that will fend off security threats with the least amount of expended energy and resources.

As SaaS pervades the business workflows of organizations on all levels, SSPM becomes ever more important. Effective SSPM means less work for your IT and Information Security teams, significantly reduced chances of security incidents and the splitting headache they bring to your company, and simpler, smoother achievement of regulatory compliance  

This post will take a deep dive into SaaS security posture management and explain:

• Common sources of SaaS security threats
• Targets of SaaS application security threats
• What the ideal SaaS security posture looks like
• How to achieve that posture

What do SaaS threats threaten?

If a weak SaaS security posture enables a bad actor to gain entrance to your SaaS environment, multiple things are at stake. First and foremost (and what most people think about when they hear about a SaaS security breach) is your data. Sensitive, private, confidential, regulated information. The kind that - if it gets into the wrong hands - can result in financial, legal, strategic or reputational disaster.

After threats to your data come threats to your user identities. 

Last, but sometimes the most dangerous, are threats to your SaaS systems. 

Let’s explore those one by one.

Data

SaaS environments encourage the creation of data assets: lots of data assets. In a 2023 analysis we did of our client base, companies ended 2023 with 6.7M SaaS assets, on average. Organizations at the larger end of the scale (with 1000 employees or more) averaged 22.8M SaaS assets, with 189% YoY asset growth. 

While not all of that data is sensitive, a good percentage of it is. If your sensitive data is exposed, it can lead to negative consequences in the following areas:

Legal: non-compliance with regulations on how sensitive customer data must be treated can lead to audits and legal penalties from authorities - and lawsuits from individuals or organizations whose data was exposed

Financial: heavy fines are also a common penalty of regulatory non-compliance

Strategic: exposure of confidential business information to competitors can reduce or remove your strategic advantage

Reputational: organizations with publicized data breaches have to work especially hard to regain the trust of their clients or potential clients

It’s very easy for data to become accidentally exposed in SaaS systems. One negligent employee defining sharing settings as “anyone with the link can access” and boom - your sensitive data can potentially be accessed by and exposed to the entire world. 

While threat actors are more likely to steal copies of data than to remove the original data from your systems (it’s harder to detect that way), if they do delete data, your organization can be in serious trouble if you don’t have a comprehensive backup and disaster recovery plan. 

Identities

So much of SaaS security revolves around making sure data can only be accessed by the right people at the right time. 

But how do you know that the person trying to access a data asset is who they say they are? If bad actors gain access to SaaS user credentials through phishing campaigns, password spray attacks or any other means, they can use this hijacked identity to wreak all kinds of havoc in your SaaS ecosystem. 

Systems

Ambitious threat actors tend not to be content with the SaaS identity or data they initially access. It’s not unusual for bad actors to find ways to conduct privilege escalation, exploiting configuration errors or programming flaws to give themselves higher levels of permissions. Then they leverage those elevated permissions to move laterally through your systems, finding ways to cause more damage or exfiltrate more data. 

Where do SaaS security threats come from?

Who are these bad actors threatening your SaaS systems, identities and assets? They come in multiple manifestations, but fall into two major groups: humans and non-human applications.

Humans

There are two categories of human actors that you need to be aware of: insiders and outsiders. 

Insiders include anyone who enjoys some level of trust when it comes to your company assets and internal network. In this group are employees, partners, vendors, suppliers or contractors. 

Insiders can put your organization at risk through malicious intent, like the desire to leverage your company assets for personal gain or to cause harm to your company. Departing employees, for example, might try to take sensitive data with them, either for revenge or to help them in their new position. 

More often, however, insider risk stems from ignorance or negligence. Employees set asset access permissions to company-wide because it’s easier, even though now 5000 people have access to the asset when only 15 people really need it. Your third-party contractors share an asset with their sub-contractors, who share it with their sub-contractors… and no one remembers to revoke access, even when the project is complete.

Outsiders include the classic cybercriminals, looking for ways to break into systems and access data that they can then sell or hold for ransom.

Third-party SaaS apps

Third-party apps, plugins and integrations give SaaS much of its extensibility and productivity benefits. But every additional application that has access to your SaaS environment is an additional risk, and must be treated as such.

This is true whether an app was installed independently by a user and falls into the category of shadow SaaS, or whether it is an official IT-sanctioned app. 

Shadow SaaS apps are more likely to fall short of industry security standards, in addition to their being out of the purview and monitoring of IT and InfoSec teams. They are more likely to be malicious from the outset or compromised at some point after their installation.

Even if an app is sanctioned, default integration configurations may give those apps more privileges than they actually need to fulfill their function. Over-permissioned apps are an open door to unwanted data access.

What does an ideal SaaS security posture (stance) look like?

SSPM must balance two goals that are often at odds:

1. Facilitating SaaS’ streamlined workflows at their optimal speed, volume and scale
2. Keeping SaaS data and systems safe

The ideal SaaS security posture positions a SaaS environment to successfully attain both of those aims. 

Let’s take a close look at the necessary aspects of that secure stance - and how they practically translate into components of a SaaS security posture management solution.

A strong foundation

The basis of any martial arts stance is how the martial artist plants their feet and holds their torso. If a martial artist’s body positioning leaves any opening, any weak point that can be used against them by an opponent, the stance is a failure. 

In SaaS security posture management, the foundation of a secure stance is SaaS Misconfiguration Management. 

SaaS configurations are the high-level settings that determine how the application operates, like:

• user access controls
• data handling rules
• network settings
• security protocols

Improper configurations leave a SaaS ecosystem open to unauthorized access, data breaches or cyber attacks. Such was the widely publicized case where Microsoft Power Apps default configurations exposed sensitive data from dozens of entities - including government bodies - containing PII of millions of individuals. 

Misconfigurations are not only a weak point that can be leveraged by bad actors, but one that leaves you vulnerable to regulatory penal action as well. The claim of “it’s not our fault” doesn’t fly; it’s your responsibility to make sure your configurations protect your data.

SaaS Misconfiguration Management addresses the danger of SaaS application misconfigurations by:

• Comparing configurations to app provider-recommended settings or industry best practices
• Evaluating configuration risk levels 
• Implementing recommendations to remediate misconfigurations
• Continuously monitoring for configuration drift and remediating or alerting relevant teams

The latter is especially important because SaaS configurations are not just a one-and-done. Configurations can be unintentionally changed by multiple causes, including:

• SaaS administrators making manual changes without proper tracking
• Automated processes and scripts incorrectly modifying access settings
• SaaS provider updates and patches that alter configurations
• Third-party plugins and integrations altering settings

Automated SaaS Misconfiguration Management is essential for ongoing monitoring of your SaaS configuration stance and making corrections before a revealed weak point proves to be your organization’s undoing.

Situational awareness

A strong martial arts stance will enable the martial artist to have heightened awareness of what’s going on around them. Being able to see or sense all components of the environment is critical to ensure that they don’t get caught off guard.

In SaaS security posture management, the situational awareness aspect of a secure stance is taken care of by the discovery and classification functions of Data Access Governance, Identity Threat Detection & Response and Shadow App Governance. 

There is so much going on in a SaaS environment. Thousands of users. Dozens or hundreds of third-party apps. Millions of data assets. Effective SaaS security posture management necessitates intimate awareness of all of it.

Users are the domain of Identity Threat Detection & Response. This SSPM component should:

• Discover all user identities in the SaaS ecosystem
• Track user actions (e.g. logins, asset access, asset interactions)
• Aggregate all user data into a single identity posture 

Third-party apps are the domain of Shadow App Governance. This SSPM component should:

• Discover all third-party apps connected to your SaaS ecosystem
• Track permissions for each app
• Identify usage level of each app (e.g. has it been used in the past 30 days, 90 days, etc.)

Data assets are the domain of Data Access Governance. This SSPM component should:

• Discover all datasets within your SaaS ecosystem
• Accurately identify sensitive, personal or private data
• Track user permissions for each data asset
• Classify assets by exposure level (e.g. shared company-wide, shared publicly)

This detailed mapping of SaaS users, apps and data must be kept current. This is no small task, considering the scale and the rate of change in a SaaS environment, and requires an automated, continually-updating discovery system.

Situational analysis

Being able to sense every detail of your environment isn’t enough if you don’t know how to interpret the details. Inherent in a strong stance is the ability to understand what the environmental signals mean in terms of potential threats.

In SaaS security posture management, the situational analysis aspect of a secure stance is taken care of by the assessment and analysis functions of Data Access Governance, Identity Threat Detection & Response and Shadow App Governance.

When it comes to analysis of user behavior, Identity Threat Detection & Response should:

• Analyze and benchmark identity risk profiles
• Take contextual data into account when evaluating actions, such as data from HRIS, IdP

When it comes to assessment of third-party apps, Shadow App Governance should:

• Identify over-permissioned and dormant apps and assess their risk level and impact on the attack surface
• Identify malicious apps
• Detect suspicious or anomalous app activity

When it comes to analysis of data assets, Data Access Governance should:

• Identify over-exposed data assets
• Assess the risk level of over-exposed data assets
• Detect unusual dataset sharing or download patterns

• Check compliance against relevant standards and company policy

Ability to counter multiple threat types

If a martial artist’s stance is perfect for blocking punches, they may be in trouble when their opponent decides to kick. Or, if they have a rock-solid stance that makes it impossible for anyone to knock them over from the front or back, but their opponent decides to attack them from the side, they may find themselves on the ground.

As enumerated above in the sections covering SaaS security threat sources and targets, the threats to your SaaS applications come in multiple types. Effective SaaS security posture management should cover as many of these threat types as possible, as well as the connections and interactions between threat types.

The ideal SSPM solution should cover:

• Misconfigurations
• Identities
• Data
• Shadow apps

But ideal SSPM should not be limited to addressing each SaaS security risk in a silo. It should enable your information security team, for example, to use data exposure information to shed light on identity risk, and identity risk information to give context to data asset exposure. A comprehensive, integrated perspective is key to effectively countering SaaS security threats.

Conservation of energy/efficient use of resources

A stance that gives a martial artist intense power but also drains energy will be a detriment in a conflict that lasts a long time. Fatigue compromises defense and the ability to execute techniques effectively. In contrast, when a stance conserves the martial artist’s energy and enables efficient use of physical and mental resources, it supports long-term success. 

In SaaS security posture management, the energy conservation and resource efficiency aspect of a secure stance is taken care of by Automated Remediation.

SaaS application security is not a one-off confrontation, or a limited-time tournament. SaaS security is a 24/7/365 involvement - for years. In order to maintain an effective level of SaaS security, your SaaS security posture management must use your resources as efficiently as possible. 

If manual investigation and remediation is required for every SaaS application security issue, your IT and information security teams will soon suffer from:

• Work overload
• Alert fatigue

Automated Remediation workflows that can address:

• Problematic data sharing or access issues
• Suspicious user activity
• Unsanctioned or over-permissioned third-party apps

are critical to conserving your information security resources, enabling human team members to deal only with issues that need a human judgement call.

Time to get your SaaS Security Posture Management into alignment

If your SaaS security posture lines up with all the elements described above, fantastic! You’re standing strong, with a stance that gives you the optimum balance, leverage and power to fend off any security threats to your SaaS environment. 

If you’re not there yet, now is the time. Your SaaS assets, identities and systems are only going to grow. Invest now in your SaaS security posture management: the foundation of your entire SaaS ecosystem’s security.