Most SaaS application security failures are caused by users, not cloud providers, and enterprises must adjust their...
strategies to address this reality.
Enterprises will spend $96.3 billion on cloud security products and services this year, an 8% increase over 2017 investments, according to Gartner. But inherent cloud app security is no longer enterprises' top security concern -- it's whether an enterprise can use SaaS securely, said Ramon Krikken, analyst at Gartner.
So far, many can't, and that problem won't go away. By 2022, Gartner predicted that users will cause 95% of SaaS application security breaches.
SaaS vendors and users share responsibility for cloud application security, but enterprises must know where the vendors' requirements end and theirs begin. Typically, vendors secure the cloud infrastructure, while users must secure applications, software platforms, data and integrations.
Users often fail to hold up their end of SaaS application security management in four areas: vetting apps before deployment; controlling employees' downloads; documenting and managing SaaS portfolios; and completing security maintenance tasks, such as patching and configuration.
Pry open security team silos
When applications lived on premises, security administrators and analysts could handle security mostly on their own. Now that cloud environments are the norm, SaaS application security must be shared across all departments.
"Security is everyone's responsibility, and that means DevOps, developers, IT, everyone," said Chris Moyer, VP of technology for ACI Information Group, a content aggregation service based in Guilford, CT. Naturally, some parts of the organization will have more influence than others, but SaaS application security is a job for the many, not the few.
A business that fails to involve all departments in SaaS application security efforts can't make informed decisions on security spending and policies. "All of the people in the security food chain must be involved in getting the best information they can," said Kevin Beaver, information security consultant for Principle Logic in Acworth, Ga.
The automation-driven Agile and DevOps models can provide a framework for holistic security efforts. A DevSecOps practice, in particular, brings the business's security experts into DevOps' digital automation projects and security into all parts of software lifecycles.
On the automation technology side, many DevOps and security tools overlap. Enterprises can extend automated orchestration tools and apply them to security. For example, SaltStack Enterprise provides cloud application and container orchestration, and it can also be used for security policy control. DevOps tools focused on certain tasks, like Chef for automated testing, also can be applied to security.
Assess and dismantle application glut
Cloud application sprawl can defeat even well-organized security teams. "Most enterprises run more cloud apps and services than their internal DevSecOps teams can handle," Krikken said.
Applications once took months to go from conception to deployment, but enterprises can deploy cloud apps in minutes. "That's why few businesses do security checks for every cloud app that crosses the threshold," said Liz Herbert, analyst for Forrester Research in Cambridge, Mass. Even those who vet their cloud app providers' security quality and service-level agreements can fail to recheck it regularly, which leads to outdated governance and security practices.
Many enterprises don't know which or how many cloud apps they have, Krikken said. Without an accurate application inventory, a business fosters the security risks of shadow IT, the secret underground of apps that IT departments don't recognize or support.
Combined, application sprawl and shadow IT spawn an undersecured software portfolio. The biggest risk here lies in failure to test apps and the integrations between them, Beaver said.
Liz HerbertAnalyst, Forrester
To manage the security of a large cloud application portfolio, DevSecOps teams should conduct a comprehensive security risk assessment, Herbert said. Create an inventory of all applications, services and tool sets, and analyze for vulnerabilities. The next step is to assess staff security certifications and breadth of expertise. Together, this documentation can guide allocation of staff resources and investments in security tools and services.
A cloud access security broker (CASB), a type of cloud-based security-as-a-service suite, can help DevSecOps teams identify, view and analyze cloud applications and their security defects. "CASBs act as a gatekeeper, sitting between the enterprise and SaaS provider to make sure the cloud app meets the business's security requirements," Krikken said. CASBs also provide an administrative console for SaaS application security management.
Beware of DIY app security
Some business and IT leaders apply SaaS application security themselves, rather than entrust their software security and code bases to third parties. Enterprises should use caution when they expose extremely sensitive code and/or data to outside security services, experts agreed. However, security-as-a-service benefits and other application security automation products outweigh the risks.
Not only does the DIY approach to SaaS app security overload internal DevSecOps teams and create risk, it limits a business's ability to remain competitive, Krikken said. Use of third-party cloud security services will enable enterprises to onboard cloud applications faster, which, in turn, spurs innovation. "Future cloud adoption is easier because the right security support pieces are already in place," he said.
Carefully weigh the risks of vendor lock-in with the value of security offerings from your company's primary cloud provider, Moyer said. His company's cloud services provider is AWS, and he uses AWS security services, such as AWS Trusted Advisor and Secrets Manager. "I can't remember the last time there was a security breach caused by a cloud provider's managed security service," he said.
Even with a security-as-a-service suite, an enterprise still has plenty of DIY work to do, so don't be lazy and expect providers to take all the responsibility. Beaver sees clients that assume a security service provider does everything and don't realize they must remain involved in the process. Keep in mind that security services provide warnings and alerts, but that only helps if the DevSecOps team takes action.