When an organization starts down the path of an Information Management Security (IMS) uplift program, a number of control deficiencies in SaaS solutions are often exposed:
How do you go about detecting and eliminating these risk blind spots?
Not all SaaS solutions require the same controls, but knowing which do is critical, first and foremost.
It is inevitable that organizations start with the crown jewels that hold the business critical and customer sensitive data. This normally entails the finance system, the customer relationship system and identity management system.
The reality for most organizations, however, is their data is accessible from a far wider SaaS footprint than just these core systems. Business critical financial or customer data will end up being stored in spreadsheets in Office 365 / G-suite, in tickets in Jira / Notion and accessed via reporting systems such as Power BI.
Since the 2013 uplift to ISO 27001, identifying all information assets (including SaaS) has become a mandatory consideration. In order to achieve compliance to this control, identifying which SaaS solutions store and have access to the information assets is the first step.
Once you have identified the SaaS solutions in scope, start exposing risk blind spots.
There are blind spots you are aware of, and those you may not know exist in the first place. A privileged access change between audit times, for example, is a risk blind spot you may be able to anticipate if there has been high staff turnover since the last audit. An example of a risk blind spot you might not have anticipated is configuration drift out of your control. One of our customers disabled OneDrive for all their users. But when Microsoft released a new version, OneDrive was automatically turned on, via which users then started sharing documents externally. It took a while for IT to realize this issue, making it very challenging for them to roll back OneDrive sharing.
Automate, automate, automate.
Every SaaS is unique in its configuration. Office 365 alone comes with a dozen dashboards and thousands of settings. Understanding user configuration and differences across multiple SaaS platforms, then keeping track of unauthorized changes is crucial to secure data. But you do not want to do this manually one by one every time. It’s a waste of your productivity time and resources.
Use Detexian to automate:
for all the major SaaS platforms your business teams use.
With Detexian, not only do you know who your privileged and highly privileged users are in critical SaaS platforms at all times, you also have an immutable history of changes for audit and incident investigation purposes. The same goes for critical security configurations such as MFA and SSO.
Your IT team does not need to take back control of SaaS solutions to know what’s going on inside each SaaS in scope or those it is connected with. They can simply add all the SaaS solutions that need to be monitored to the Detexian Portal.
Your IT team can work with the business to negotiate what’s considered essential spending on non-functional security features if the business has to pay extra to acquire these features. For example, if SSO is mandatory but it would cost the business a lot more to get it, the IT team can use Detexian to monitor MFA exceptions.
Establish and enforce baseline security policy for SaaS
Once you connect to our automated assessment portal, it can get overwhelming at the first instance what steps you need to take first to eliminate the risks detected. Refer to our blog on “What is a good baseline security policy for SaaS apps” for our recommendations.
With Detexian, you can start your Information Management Security uplift program for SaaS solutions in a workable sequence that supports your organizations’ business goals without disrupting the business teams which rely on SaaS solutions for their daily operations.
Find out how you can automate the detection of SaaS risk blind spots in minutes and keep track of changes at all times. Inquire now for a free demo.