Automating Cyber Risk Assessments for SaaS apps
If clients ask you to do cyber risk assessments of their corporate apps (Office 365, G Suite, Salesforce, etc) and you plan to do that manually, you’re wasting time and money.
Are you including corporate SaaS apps in your assessments?
Detexian works with a number of cyber assurance firms, most of whom have clients who are increasingly requesting that SaaS applications containing business critical and customer sensitive data are included in their assessment scopes. This has stemmed from industry leaders such as Gartner repeatedly stating “99% of cloud security failures will be the customer’s fault” and clients becoming aware of this fact.
The traditional scope increase starts with the customer's productivity solution such as Office 365 / G Suite being added. When PCI or CPS 234 requirements are applied, the scope increases to include Salesforce (or similar CRM), GitHub, Jira and Slack as these can and often do have critical information assets.
As these SaaS solutions are integrated into the customer communications, support and marketing business processes, substantial business risk is being occurred due to misconfiguration.
Scope increases lead to bigger client invoices? Right?
The modern cyber assurance company looks to harness automation, activities such as pen testing, control sampling and evidence collection have all benefited from significant advances in tooling in the last 10 years.
When a new system or process is added to the assessment scope, the auditor is forced to rely on manual steps which add significant cost and complexity to the assessment. Based on our partners experience a traditional week long assurance assessment includes 4-6 hours of evidence collection using automated tools for AWS and hosted applications.
The addition of one or more SaaS solutions can double or triple this time taken due to:
Discovery efforts: Often it takes time to identify the business owner / privileged users of solutions managed by the business;
Engagement: Scheduling meetings in order to get access to the SaaS to assess which may require additional client visits to share a screen;
Complexity of the SaaS(s): Knowing where critical settings are located in the dashboard or what they’re called often changes from one system to the next;
Criteria: Lack of baseline configuration standards to assess against. While some vendors may have a hardening guide industry standards such as CIS Benchmarks often do not exist.
Adding SaaS configuration assessments to your product offerings may seem appealing to increase revenue. The additional effort required to manually audit a few client SaaS apps rapidly adds up, constrains delivery timelines and impacts margins, leading to a less profitable client relationship.
Automating SaaS risk assessments is a no brainer to increase profitability.
At Detexian, we understand cyber assurance firms want to reduce the manual effort to deliver assurance activities and increase profits. We have developed a product offering specifically for cyber assessment firms to complement the traditional pen testing, network and cloud configuration assurance activities.
Starting with the Detexian SaaS Assurance Report, you can deliver to a client an overview of the good, the bad and the ugly of their SaaS risks IN MINUTES without any manual audit work. The Report also comes with the underlying data and recommended mitigating actions so you can guide your client on what to do next to improve their security posture.
The Detexian SaaS Assurance Portal helps you track changes and progress done continuously. This helps you automate your client’s SaaS security assurance over time.