Understand your SaaS risk profile

By Mike Peters, Matthew Torpy, Chuck Chapdelaine, Mayte de la Lanza, and Colleagues

The Challenge

Here’s the problem: every organization has various unaudited SaaS applications, all featuring their own specific security and compliance risks.  Because some SaaS apps come through our firewalls, enter our networks, and read information directly from our internal systems, they have access to sensitive information and our corporate secrets.  Many employees register for SaaS apps without permission or IT knowledge, yet act as if they can be trusted with data assets.

But many SaaS apps have not earned that trust. As you know, SaaS apps can sometimes own (and sell!) your organization’s data and expose you to data breaches or data loss, which can interfere with your ability to be in compliance with mandates. Their interests are not always yours; their security practices may be much less robust than your own. From a legal and compliance perspective, you may even be responsible for disclosures and breaches that were the fault of your SaaS providers.

That’s why it’s important to understand your SaaS risk profile.

By reviewing your SaaS applications and their security policies, you can prevent data loss and maintain CCPA, GDPA, and other compliances. It’s also key to budget management: We recently found $2 million in wasted spend on SaaS apps at just one client!

And it’s important to monitor this on an ongoing basis: SaaS apps feature a low barrier to entry, allowing employees to sign up for the free version (where the vendor may own your data), or may not follow the procurement process consistently, resulting in hidden SaaS applications and a consequent ever-changing risk profile.

At Unify, we’ve evaluated the privacy policies of more than 200 SaaS vendors, across multiple clients.  From this work, we can share what we’ve identified as the lessons learned and what to look out for when conducting your own security and privacy review.

Our Approach

First off, who is reviewing your SaaS security? We’ve found that often, the “security review” is done by the Purchasing or HR department, and is little more than reviewing a checklist the SaaS vendor fills out themselves.  This leaves the important task of risk analysis to untrained and unaccountable departments.

Secondly, who owns your data?  As you know, if you use the free version of a product, you are the product, not the customer.  Often, SaaS companies may own and resell your data.  We recommend paying particular attention to data ownership clauses in security policies.

Finally, who is responsible for the security?  We were surprised by the lackadaisical nature of many SaaS vendors to their own security.  Often, they say they rely solely on their cloud provider for security!  That means no application security controls, and increased vulnerability to XSS, SQL Injection, and other threats.

Creating your SaaS inventory

First off, you have to know what you have.  If you don’t know what apps are currently in place, you can’t review their security policies, remove unauthorized or terminated employees from access, or keep track of budgets.

Start with purchasing, to identify all the master service agreements and contracts for purchased SaaS apps.  Then find apps that traverse your security boundaries via portfolio management and enterprise architecture processes. Finally, work with network administration to identify all SaaS apps coming through the firewall.

Steps to conduct a SaaS privacy review

Once you know what you have, you need to review their security policies. As with all risk reviews, take into consideration the risk tolerance of your business based on your industry, the types of data you use, the compliances you must meet, and your company’s strategic plan.  That will help you determine the appropriate level of security controls your SaaS vendors should provide.

Once you’ve done the inventory and your internal risk tolerance, then ask these questions:

  • What are the SaaS vendor’s stated security practices?
  • What privacy, security, and compliance commitments are in your contract with the vendor?
  • Does the SaaS vendor sell any data collected? If so, what data?
  • Is the SaaS vendor compliant with CCPA, GDPR, ISO 27001, and for health care, HIPAA?
  • Is data encrypted at rest and in transit?
  • Are federated access controls/SSO available and implemented so you can quickly revoke access to terminated employees?

This review is particularly important at the beginning of a relationship, when you have the most control, and can compare the practices of several vendors.  The best SaaS app vendors offer clear privacy statements around:

  • Compliance
  • Data ownership and use
  • Encryption
  • How they address the physical, technical and organizational threats to data security.
  • The ability to opt-out and/or add additional encryption and security measures.

Steps to a secure SaaS architecture

For SaaS apps that cross your firewall, it’s essential to minimize the damage if that SaaS provider experiences a breach. You can limit exposure through the following best practices:

  • In your rules for firewall usage, whitelist only those specific internal resources the SaaS vendor requires. Never allow access to all resources.
  • Do not connect the SaaS app to production databases. Instead, pull data from the production database, place it in a data warehouse, and expose specific views of the data to the SaaS app. Kafka is one such tool many of our clients use for this purpose.
  • Train staff software engineers to understand which types of data are sensitive and how to manage it, whether it’s personal information, corporate confidential information, or other sensitive data.

There is a partner for improving SaaS security

If you need extra hands and brains to tackle this review, we can help.  We have security experts that can help you navigate this space, supporting any portion of the security process, for SaaS apps, or any software you install.

Whether you partner with us, or go it alone, SaaS security review is no longer a nice-to-have, but a must-have for organizations interested in protecting themselves from litigation, fines and business losses from data theft.

Contact us today at hello@unifyconsulting.com to understand how SaaS apps impact your organization’s data privacy and security.

About the Authors

Mike Peters leads cybersecurity at Unify. He’s been in security since 2008, is a Certified Ethical Hacker, and has expertise in secure development, patch management, cloud security, and more.

Matthew Torpy comes from over 15 years of results-driven experience in information management, privacy, compliance, strategic planning, and technology.

Chuck Chapdelaine is a chief contributor and IT consultant at Unify. He’s worked in Information Security and Assurance since 2001, is a CISSP, and specializes in DoD and Healthcare settings.

Mayte de la Lanza provides technical leadership on system architecture, security, quality, performance, scalability and technical debt control.