Built-in SaaS Security Not Nearly Enough for O365 Safety
SaaS Security So Important it has its Own Gartner Category – for now.
In the early days of the cloud, IT was reluctant to make the move, fearing data out of its control was not secure. Cloud and SaaS have largely proved their security mettle, at least for the areas of SaaS security the software providers control.
Take Microsoft, for instance. While Microsoft secures its own O365 instances in the cloud, and takes full care of that portion, IT is still responsible for securing identities, devices, passwords, stopping data leakage, and preventing insider malfeasance. “For SaaS solutions, a vendor provides the application and abstracts customers from the underlying components. Nonetheless, the customer continues to be accountable; they must ensure that data is classified correctly, and they share a responsibility to manage their users and end-point devices,” Microsoft argued.
The chart below shows what areas of security IT must handle at each level of the cloud services stack. This is the essence of the Shared Responsibility Security Model promoted by Microsoft.
Beyond these areas of IT responsibility, there are SaaS and O365-specific areas of security the platform provider doesn’t tend to.
Enter SaaS Security Posture Management
SaaS Security Posture Management (SSPM), an acronym that contains an acronym, is a solution category for vendors that specifically protect SaaS such as Office 365. SSPM is such a critical area that Gartner believes it will be blended into broader security and SaaS tools, and thus the term itself will become obsolete relatively soon, said Gartner in its Hype Cycle for Cloud Security, 2020 report. For now, at least, SSPM is the best way to describe solutions that protect SaaS in ways their creators haven’t addressed.
So what exactly is SSPM? “Gartner defines SaaS security posture management (SSPM) as tools that continuously assess the security risk and manage the security posture of SaaS applications. Core capabilities include reporting the configuration of native SaaS security settings and offering suggestions for improved configuration to reduce risk.”
SSPM tools can be both specific to a SaaS solution, the way CoreView’s CoreSecurity secures O365, or more broadly aimed at the panoply of SaaS, including the discovery and control of Shadow IT, deftly handled by CoreView’s CoreSaaS solution. “SaaS control remains elusive even for the most conscientious of enterprises. Popular SaaS applications present useful collections of configurable security controls, but they may be difficult to discover and measure effectively. SSPM tools, a recently identified category (but not a full market), elevate the visibility of SaaS native security,” Gartner argued. “Crucially, SSPM tools can provide evidence for enterprises to demonstrate they are controlling SaaS — a requirement that an increasing number of Gartner clients report their customers are demanding.”
Importance of SaaS Configuration – and Where CASB’s Fall Short
A big chunk of the SSPM market is aimed at specific SaaS solutions not fully protected by their vendors, and filling in weaknesses in broad SaaS security tools such as Cloud Access Security Brokers (CASB). “Client interest in SSPM arose rapidly, possibly coincidentally, with vendors identifying existing challenges of managing SaaS security. Somewhat curiously, the largest gap lies within the CASB market. CASBs already possess the ability to connect to SaaS applications via APIs for scanning content and user activity in SaaS applications. However, most CASB vendors haven’t yet exhibited noticeable urgency to evaluate SaaS native security settings and permissions management,” Gartner argued.
According to Gartner analyst Neil MacDonald, “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”
Not only that, these cloud or SaaS apps contain the bulk of critical enterprise data. “These applications increasingly store vast amounts of intellectual property, out of the purview of central IT, and thus are at risk of inadvertent or malicious disclosure,” Gartner argues. “While CASBs provide a useful mechanism for centralized policy and governance across an enterprise’s landscape of SaaS applications, they are no substitute for proper configuration of SaaS native controls. The most effective way to avoid exposure is to continuously scan for and eliminate configuration mistakes and overly scoped permissions, which represent the most common forms of cloud security failure.”
How CoreView Fills in the Shared Responsibility Blanks
As you can see by the Shared Responsibility Model, to achieve proper O365 security — IT has plenty to keep them busy. Fortunately, this is precisely where CoreView shines. CoreView helps:
- Establish and enforce security policies
- Provide true Least Privilege Access
- Conduct deep forensics and auditing around security issues
- Automates O365 admin tasks
- Reports on critical aspects of O365 security
PROTECT YOUR O365 TENANT WITH COREVIEW
Or sign up for a personalized CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.