We live in an age where mobile devices are better designed to meet the needs of an increasingly mobile workforce and the cloud provides unlimited opportunities to boost productivity and positively impact the way we do business. However, we are teetering on the edge of a cloud app (also called Software as a Service, or SaaS) deluge. Indeed, businesses are being flooded with a huge variety of unique SaaS apps to facilitate employee’s preferences. The SaaS Tsunami approaches.
According to Gartner, a typical enterprise has between 600 to 1000 SaaS applications, of which the IT department knows of around seven per cent. This knowledge gap has the potential to cause a multitude of security issues including data leakage and unauthorised access. Rather than running for higher ground, it is crucial that companies implement a plan to deal with the SaaS Tsunami. Below are eight actionable strategies that you can apply to your business today:
-
- Follow the money –When an employee subscribes to a SaaS application it is more than likely they will claim it back under expenses. Therefore, you should liaise with your finance department to create a SaaS subscription expense category, and ask them to tell you when someone claims expenses from this category. This will help IT bring previously unknown apps out of the shadows.
- Integrate into the on-boarding process – It is advisable to collaborate closely with HR so that new employees are encouraged during the on-boarding process to tell IT of any SaaS applications they need to do their job.
- Sell the benefits of Single Sign-on –Your IT team needs to highlight the productivity benefits of single sign-on (SSO) to your employees, which is that after logging in just once, users can access every application they need with only one click. Doing this requires that apps be incorporated into an identity as a service (IDaaS) catalogue, which has a key security benefit, described below.
- Enforce strong authentication –A major reason an IT department incorporates all SaaS apps in an identity as a service (IDaaS) catalogue is to ensure that security policies for password and multi-factor authentication are applied. If you do not know about an app being used it will not be subject to your IDaaS vendor’s login process, and thus will have weak authentication that carries security risk.
- Track application usage by former employees –Would you want your ex to have a key to your house and the means to remove everything inside? If you are not monitoring former employees’ activity, you could be giving them access to your corporate network and the data held inside. Businesses must ensure that former employees are off-boarded once they leave your company and are double checking former employees are not continuing to use company apps. One action you can take is to begin disabling ‘zombie accounts’ that have not been accessed for a period of time. Start with the most commonly used applications and work your way down. Another strategy is to connect your IDaaS to your Security Information and Event Management (SIEM) system, such as Splunk, to regularly search for application logins from former employee accounts.
- Identify self-enabled apps –It is time to uncover the 93 per cent of applications your employees use that you don’t know about. While some of these apps are harmless or justifiable, many of them could be excessively risky or completely unproductive. Does your sales team really need to be hunting for Pokemon? It is important to bear in mind that admins and privileged users are prized targets for malicious attacks. If they need to use open authorisation (OAuth) enabled applications using corporate credentials, it’s imperative you are made aware and ensure that the permissions are acceptable to your organisation.
- Implement app control –Have a paper policy and stick to it. Set the criteria within each department of what they deem as a ‘banned app’. This will vary between departments and it can be a nuanced decision based on risk, permission, how business-critical an app is, are there any safe alternatives and many other factors. Set it. Stick to it.
- User and entity behaviour –Implement user and entity behaviour analytics, which will help you identify anomalous activity such as unusual geolocation access or downloading excessive data. If one of your sales team has visited 68 countries in a day or has logged in at 3am from Zanzibar this might constitute anomalous behaviour. Identify what represents unusual behaviour at your organisation to apply to your user and entity behaviour analytics.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.