The Expanding SaaS Mesh
SaaS applications have become deeply embedded in every business function within forward thinking organizations, from sales and marketing to R&D. Designed to facilitate business productivity and efficiency, they empower business-users to adopt and interconnect them directly and at scale.
As a result of indiscriminate adoption, however, SaaS applications, integrations, users and data have evolved into a sprawling SaaS mesh ungoverned and unmanaged by security teams.
Instead of centralized control and management by IT security teams, adoption, administration, and management is distributed across departments, functions and business units.
SaaS platforms encourage business users to connect their best of breed SaaS applications using third-party SaaS-to-SaaS integrations. Whether if it’s an end user connecting an OAuth app, an administrator creating an API key or a citizen developer automating a business workflows with no/low-code platforms like Microsoft Power Platform, Workato, Zapier, etc., these integrations can increase the SaaS security risk since they are often insecure, inactive and over privileged.
Business users rely on SaaS applications to share data with both internal and external collaborators. Users can easily share sensitive data such as documents, presentations, emails, and even source code, with specific users or to open them to allow public access. Typically, users are unaware of the security implications of their data sharing settings and more often than not they set overly broad sharing privileges that can expose sensitive data to unauthorized users outside of the organization.
Adoption of identity providers (IdP) such as Okta became an industry standard to manage organizational users. But such solutions have a limited purview, since they cover only part of the human user access, lack visibility into authorization within the platforms and business users can still configure SaaS applications to bypass or override configurations in the IdP. When the adoption of SaaS applications scales, it becomes a challenge to detect and track identities that are not managed by IdP, overprivileged users and weak authentication that doesn’t leverage. These identities open up the organization to account compromise and data loss breaches.
The number of SaaS applications, their in-depth complexity and application-specific know-how, have created an emerging challenge for security teams to ensure proper SaaS security policy configuration. Whether it's for internal company policies or to maintain compliance with industry standards and frameworks such as SOC2, ISO 27001 and NIST. Each SaaS has its own set of security controls and terminology, which makes detection and monitoring of settings and drifts a burdensome challenge.
Current Security Solutions Are Insufficient
.svg)
Cloud Access Security Broker (CASB)
CASBs were designed to discover SaaS applications in a corporate network based on a proxy architecture and to monitor user activities within these applications. However, over the years SaaS applications have become more complex and the modern SaaS mesh includes more SaaS applications and multiple layers of configurations, data, identities and third-party integrations which CASB solutions are blind to and do not monitor.
