I recently co-hosted a fascinating online discussion entitled, Managing SaaS-to-SaaS: How CISOs Can Mitigate Third-party Integration Risks, with two close colleagues and highly experienced CISOs – Maarten Van Horenbeeck, SVP and CISO at Zendesk and Andy Ellis, former CSO at Akamai and current advisory CISO at Orca Security and operating partner at YL Ventures.
Over the course of 40 minutes, we discussed how the complex, ever expanding mesh of SaaS-to-SaaS integrations has introduced new risks and challenges for CISOs. Existing security solutions focus solely on providing visibility and control over the human-to-application layer. They overlook app-to-app communications, especially the complex mesh of often unvetted third-party integrations that business units are integrating with their sanctioned business-critical apps like Microsoft 365 and Salesforce, typically without security team review or governance.
These unmanaged integrations often enhance business productivity, but also open up organizations to a host of new risks, from compromised APIs to lateral movement of threats that can significantly increase an organization’s attack surface, leading to potential high-impact account takeovers and data theft.
Maarten and Andy touched upon the rapid growth in both the number of operation-critical SaaS applications used by organizations and the number of integrations between them. As these elements scale, so does organizational dependency on them for efficiency, innovation, and streamlined workflows in the business environment. New security controls need to be introduced, but ones that don’t end up inhibiting business productivity or velocity. Nonetheless, both CISOs agree that without visibility and constant oversight into their SaaS integrations, security teams will lose control over this mesh and more concerningly - over the data that flows across it.
This friction between business goals and security risks is hardly new, but, as Maarten states, “The Mesh actually magnifies risks. We don’t know how individual risks within each application multiply as the app interacts with others. As a result, the Mesh grows and becomes a real challenge for us to manage.” In order to understand what tools and processes exist for such management, without performance degradation, we touched upon Third Party Risk Management (TPRM) mechanisms and how they should be enhanced, why offboarding is a critical component of a healthy security posture, and why non-human integrations demand zero trust controls.