The problem hidden in plain sight
The world is a scary place these days if you are in charge of keeping your company safe. From ransomware, to data protection, to integrating AI responsibly, CISOs have plenty of rising challenges to worry about.
Here’s one that deserves more focus: Securing SaaS apps. According to a recent Salesforce study, the average enterprise today has over 1000 apps. Around 40% of those are totally unmanaged. All of those apps add up a huge risk.
Why don’t we see more emphasis and attention on SaaS app security? Not because it doesn’t matter, but because the problem seems insoluble. We have all been trained to accept this state of things since there is no apparent alternative. After all, when you have hundreds of vendors providing point solutions to your company, there is simply no way to perform any meaningful due diligence. With so many solutions to worry about, CISOs often focus on securing their most sensitive apps and on reacting to past incidents.
Time to take back control
This just isn’t good enough. We need a new model, one based not on attempting to monitor and manage the individual apps, but on creating an aggregate point of control across all of them.
And the problem is only growing in scale and urgency. Today’s cloud apps run on your company data, exposing it to potential loss and abuse. And the rise of AI, which demands access to huge amounts of data to be effective, will only compound the problem. Already, the opaque nature of these apps is providing a massive challenge to companies seeking to comply with modern data privacy regulations.
The only possible response: A foundation of control that spans across all our apps, allowing us to track, set policy, manage encryption, and restrict apps at scale.
This will only be possible if we demand different things from our solution providers. We need to change what is “normal” and insist on new practices that give us the control over our own IT environment and data.
Call these the new rules of SaaS application security! These are the things you should start insisting on from your vendors.
1. You should have access to, and control over, audit logs
A huge part of the problem of securing apps is how hard it is to track app behavior. Consider what it takes to get the most basic data on usage today – the audit log.
While some vendors will make it readily available, most will not. Some apps simply don’t have one, others will make you ask for it, and wait for them to send it to you. This requires human intervention and delay, greatly increasing risk and making consistent monitoring impossible. As a result, it is very challenging to get a good view of usage and possible risks with any individual app today.
It does not have to be like this. If you had the audit logs within your own environment, you would have both access and control. You would be able to monitor in real time, spotting threats or risks before they become full-on problems.
This will not just happen on its own! We have to start educating our vendors on why this matters… and demanding that they provide us with the vital access that we need to keep our users, customers, and business safe.
2. Everything should be encrypted – and you should hold the keys
If you spend some time looking at the state of encryption across SaaS apps, you will find wild inconsistency. Even on apps that claim to encrypt your data fully, the encryption can be fully or partially absent, or at a lower level of strength than stated.
This is simply not sustainable. We cannot have a “hope and trust” data encryption strategy in today’s threat environment, when one exploit can cause tremendous damage to your business, customers, and reputation. From complying with regulations like GDPR and HIPAA, to ensuring the integrity of the data that you use to run your business, to serving as a last line of defense, encryption is more vital to companies than ever.
The answer is clear. We need a more rigorous and consistent approach to encryption. And we need to control the keys ourselves, in our own safe environment.
3. You should be able to acquire and analyze app data easily
It is hard enough today to access usage data from any single app (see my points about audit logs above). It is essentially impossible, however, to get the type of landscape view across all of your apps that would allow you to make better decisions.
This is because when apps do provide data, whether in audit log format or otherwise, they do so using their own structure and taxonomy. You often need an engineer to work with it and pull it into a database. Then the data needs to be cleaned up and standardized to align to your own needs.
This is a big deal. It makes it hard to understand patterns of use or abuse across apps, as well as to spot opportunities to improve service to the business and your stakeholders. It becomes challenging to see the bigger picture to make better decisions and investments.
To understand why this matters, think about how many different apps may be involved in a business process. To get a full understanding of a customer, for example, you might need to pull and integrate data from your procurement system, your digital contracting solution, and a privacy tool. Today, the heavy burden of acquiring all that data and preparing it for analysis falls almost entirely on you, not your vendors. That needs to change.
Solution providers need to change their understanding of what data means to their customers. It is not a nice-to-have for modern companies, a byproduct of application usage. It is an invaluable resource and the fuel that we need to improve and build our businesses. And it is ours, not theirs.
This data should be easier to access and work with, suitable to non-engineers and data scientists. It should be provided in standardized format that supports advanced analysis and integration with data from other sources.
Final thoughts: A better path for our industry
I know this might seem like a lot to ask from solution providers. Change is hard, and these new practices will require work and investment from vendors. Ultimately, however, these new ways of working would be to everyone’s benefit.
Giving customers more control and influence over their own data and security profile works to the advantage of all. Vendors are not positioned to understand and adapt to the larger security concerns of their customers. And no solution provider wants to be seen as responsible for a data breach or exploit.
To those that would say this is too much to ask, too technically difficult to implement, I would just point out that Ironclad is taking these steps right now. Coming next month, we are launching a new Security and Data Pro offering for the Ironclad digital contracting platform that addresses these exact challenges.
This is not a one-time release; it is a new way of doing business, a commitment that we are making to our customers. Because we understand that giving them more control and insight over their technology and data is the right thing to do.
We hope you will agree, and join us in asking for these additional layers of trust, compliance, and governance from your mission-critical apps! Because it is past time for us to shift to a new model of centralized and standardized application security. These common-sense changes would radically improve the risk profile of SaaS, making it easier and safer for everyone.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.