Why SSPM is becoming an integral part of risk management for every business

What is SSPM?

SaaS Security Posture Management (“SSPM”) is a new Gartner category defined as “tools that continuously assess the security risk and manage the security posture of SaaS applications.” 

Core capabilities include reporting the configuration of native SaaS security settings and offering suggestions for improved configuration to reduce risk. Optional capabilities include comparison against industry frameworks and automatic adjustment and reconfiguration. 

Gartner stated “99% of cloud security failures will be the customer’s fault”, calling organizations to put in place controls to cover the inherent complexity of multi-SaaS use.

Previous to the arrival of SSPM solution providers, it was either impossible or very costly for most businesses to stay on top of SaaS security risks. Large companies can afford this through leveraging various existing enterprise security solutions and security experts collecting and making sense of the data. 

Why should business users give a ****?

SSPM sounds like a very specific IT issue that the IT team or (if you don’t have one) your IT service provider should take care of. 

But the reality is IT teams and IT service providers usually manage core applications only (e.g. productivity suites such as Office 365, G Suite, and communication apps such as Slack, Zoom). This leaves the security of your other critical SaaS apps (e.g. your finance and accounting suite, customer relationship management, marketing suites) in the hands of business users. 

With sensitive data spreading across between 5-20 SaaS apps in most businesses, it is impossible for IT to keep track of users’ access and security changes and have an informed view of your organisation’s security risk profile. The latter would require them to spend a significant amount of time manually monitoring each app (many of which they don’t manage) and to have the business knowledge to make sense of why changes have happened, if they were meant to happen (which they don’t have).  

What the Board and executive management must know

The risk profile of SaaS applications constantly evolves with the user base and how the users interact with the data. An admin of Salesforce, for example, can hastily grant administrative privileges to external users outside of the organisation, who can then clone other external admins without you knowing. A sensitive file mistakenly created with “anyone with the link” sharing rights in Box or Dropbox can expose your customer list to a competitor. A software developer that recently left the company for a competitor is still accessing sensitive information in GitHub and Atlassian, and Slack channels because he wasn’t offboarded correctly. 

The Board and executive management must know what questions to ask to make an informed view of their overall SaaS security risk exposure. Are we doing a good enough job to keep business critical and customer sensitive data safe from harm? If so, what proof do we have?

What is the right SSPM solution for your business?

The right solution for your business is one that fits your culture and resources. 

Large enterprises can now demand SSPM features from the various existing enterprise security solutions they have already deployed such as CASB, IDAM, PAM, SIEM and EDR.

If the acronyms above don’t mean anything to you or are an overkill for your business, then Detexian can be the solution that has what you need and speaks your language at a compelling price point. 

At Detexian, we understand business users like to procure and manage their own SaaS applications. We are here to make security simple so they can manage security settings for SaaS with confidence without specialist skills while keeping up with changing regulatory requirements. Starting with an executive report that gives you the good, the bad and the ugly, Detexian helps you improve your SaaS security posture over time and builds a track record of proactive security assurance to solidify customer trust and win more deals.

Previous
Previous

Cyber Risk Management - Trust but verify

Next
Next

Meeting MAS’s new technology risk management guidelines for SaaS-powered businesses