What is a good baseline security policy for SaaS apps?


At Detexian, we often get asked this question. When it comes to security posture for SaaS, there’s a lot of ambiguity as every SaaS is unique in its security configuration.

Why should anyone care?

Understanding user configuration and differences across multiple SaaS platforms, then keeping track of unauthorized changes is crucial to secure data. Common misconfigurations such as lack of MFA, excessive privileges, unauthorized data sharing are leading causes of data breaches.

Aside from mitigating data breach risks, meeting regulatory compliance is a business continuity requirement for not only regulated entities, but also their vendors and suppliers. A few of our customers are SaaS-first organizations working towards SOC 2 compliance to secure contracts with large customers. Security audits are a time sink as it drains resources in figuring out the baseline, what’s changed, by who and why.

This work is taxing. Most organizations don’t know their baseline.

Even when you rattle off the most important business apps such as Office 365, G Suite, Salesforce, Atlassian, you can easily get to 15-20 apps that hold sensitive data in a typical mid-sized business spread across email/productivity, sales, marketing, HR, finance, engineering, customer support, product management, admin functions. Each comes with a few dozens to hundreds of different settings. It is impossible for anyone to master them all.

Traditionally, achieving security consistency across SaaS platforms required a combination of manual resource-intensive audit efforts, complex deployment of multiple security tooling such as CASB, SIEM, IDAM, PAM solutions as well as dedicated security headcount. This is a lot of work and $$$, which few organizations can commit.

Before an organization can start to implement a security policy or follow a best practice guideline for their SaaS footprint, they often need to expend significant efforts and resources to get their houses in order. First is taking stock of what SaaS solutions are subscribed for, by who and for what purpose across their organizations. Following that, they need to work with the SaaS owners to understand the criticality and sensitivity of data stored in each SaaS before assigning policies, procedures commensurate with the data classification. These steps alone took many of our customers months to complete. Before they know it, things have changed. More SaaS solutions and users are added, admins change and so do the types of data stored. But at least they have an initial baseline to work with.

Our recommendations:

Start with bite-size chunks

We’re seeing more organizations undertaking work to formulate SaaS management guidelines. But implementing controls is never straightforward. For example, turning on MFA is mandatory for Detexian staff and we do our best to enforce it for all users everywhere it is available. But for many popular SaaS apps like Pipedrive and Zoom, you have to pay or upgrade plans to enforce MFA and SSO on all users. Or else, you can only trust individual users that they’ll do what’s required and leave MFA on at all times.

We recommend the following minimum security baseline be applied to all SaaS holding business critical or customer sensitive data:

  • Require MFA for Non-Privileged Accounts: MFA has been shown to block phishing and account compromise attacks by 99.9%;
  • Identify and monitor Guest / External Accounts: Every 6 months all external and guest access should be checked, reviewed and removed if no longer needed;
  • Identify and monitor Privileged Users: Knowing who are privileged users in your SaaS solutions is a critical baseline policy, without knowing who they are, when they’ve last logged in you’ll never be able to see if they’ve changed;
  • Require MFA for Privileged Accounts: As privileged users can change configuration, users and destroy or export data, it is critical that their accounts are protected from compromise or takeover with MFA.

Use a solution to get ongoing oversight and monitor changes

If you use an Identity Management solution, e.g. OKTA, Azure AD, to federate SaaS apps, you can enforce MFA with it. If you don’t or not all your SaaS apps are federated, you can use Detexian to monitor MFA exceptions.

If you use a Privileged Access Management solution, you are quite a mature organization, and perhaps this article doesn’t apply to you. If you don’t have one, you can use Detexian to get oversight of your privileged and highly privileged user bases, enforce MFA and ensure they are legitimate users of your organizations. Many SaaS apps allow external users to control the highest level of privileged access.

Secure what you can't see in the cloud

710 Collins Street
Melbourne VIC 3008
9848 Mercy Rd #2
San Diego 92129

Get the latest information about SaaS security misconfigurations

Copyright Detexian 2020 All Rights ReservedTerms & ConditionsPrivacy Policy