Blog

SaaS Security Posture Management: Why You Need More

Earlier this year, Gartner included Obsidian as a representative vendor in the emerging SaaS Security Posture Management (SSPM) category and we are thrilled with the shout-out! More importantly, we’re excited that Gartner is calling attention to enterprise SaaS security. Misconfigurations and preventable user errors have resulted in highly visible SaaS data breaches and compromises in the recent past. For too long, the industry has resorted to blaming the victims for allowing these breaches to happen rather than recognizing the complexity of managing posture in heterogeneous SaaS environments.

Fig: Obsidian is a representative vendor in Gartner’s emerging SSPM category

SSPM simplifies the monitoring and management of security posture across SaaS applications through automation. Using SSPM tools, security, compliance, and application management teams can make sure that applications are configured according to best practices, and in compliance with policy and regulatory standards at all times. 

Configuration management is critical to SaaS security. But it is just one part of a holistic SaaS security solution that addresses the challenges associated with monitoring, managing access and privileges, protecting data, and detecting and responding to threats. On this point, we agree with Gartner that SSPM capabilities will become part of a broader, more comprehensive SaaS security offering.

Let us look at why you need SSPM, and talk about why you need more than SSPM for SaaS security.

Why Do You Need SaaS Security Posture Management?

Critical business systems are moving to SaaS. According to Gartner, SaaS spending outstrips IaaS spending by a factor of two on average. Most organizations rely on a similar set of hugely popular, strategic SaaS applications for common business functions. 

Security teams have to protect their organizations’ users and assets in applications that they don’t control. Security in the cloud is a shared responsibility between the cloud provider and its customer. While most enterprise SaaS apps provide some security in the stack, customers are still on the hook for configuring these applications appropriately, and ensuring that configurations don’t drift over time.

As it turns out, posture management seems simple at first blush but can be overwhelmingly complex for several reasons:

  • Modern SaaS applications can have hundreds of configurations that control everything from whether files can be shared broadly in G Suite, users can login without MFA to Salesforce, or video calls can be recorded on Zoom. Relying on default settings is a recipe for failure.
  • Each application has its own set of configurations, often with its own interpretation of common controls like IAM and data sharing. You have to understand what each app offers and the impact of configurations settings on the security posture.
  • Configurations are often buried in several menus in the console for each application. Security and IT operations teams need to familiarize themselves with the right location to find and manage configurations.
  • To ensure that there is no configuration drift, the admin has to poll each app periodically, remember what the correct settings are, and check if anything has changed.

An SSPM, according to Gartner, is a “tool that continuously assesses the security risk and manages the security posture of SaaS applications.”  At its core, an SSPM tool makes it easier for a security admin to get visibility into configurations in each application, understand how configurations translate to security posture, and ensure that applications are configured according to best practices. 

At a minimum, SSPMs should be able to report on the configuration of native SaaS security settings and offer suggestions for improved configuration to reduce risk. Optional capabilities include comparison against industry frameworks and automatic adjustment and reconfiguration.

SSPM is Necessary but not Sufficient

Posture management is a critical capability for SaaS security. Misconfigurations can leave the proverbial backdoor open in a SaaS environment. But is SSPM sufficient to secure your SaaS? The answer is no. Posture management needs to be a part of a comprehensive SaaS security solution that includes continuous visibility and activity monitoring, threat detection, and data breach protection.

To understand why, let’s look at an analogy (we security folks love our analogies). Say you wanted to take your personal Cessna Skycatcher for a spin. You would run through a set of preflight checks, e.g.,:

  • Magnetos Switch – OFF
  • MASTER Switch (ALT and BAT) – ON
  • AVN MASTER Switch – ON
  • Primary Flight Display (PFD) – CHECKPFD ADAHRS TEST COMPLETE (no red X’s)
Fig: Securing SaaS can feel like flying a plane, with a hundred things to check and monitor (Photo by Andrés Dallimonti on Unsplash)

For good reason, you don’t want to take off without doing a preflight inspection. During the flight, you want to make sure that some of these settings don’t change. This is what an SSPM does for SaaS environments. Security in SaaS can feel like flying for the first time, with all the configurations and controls to understand and manage. SSPM allows you the administrator to see how you’ve configured your SaaS applications, quickly detect red flags, and fix them.

But there is a lot more to flying an airplane than checking settings. Likewise, SaaS security admins need to go beyond configuration management and understand who is in their SaaS environments and monitor what they are doing. CISOs are asking their team if they can answer questions like:

  • Which SaaS accounts are compromised?​
  • Can we respond to a cloud breach?​
  • What files are we sharing externally?​
  • Which third party applications are accessing users’ data in their Google Drive, Box, or Salesforce accounts?
  • Who has administrator access in SaaS but doesn’t need it?​

To do this, you need a solution that aggregates telemetry from SaaS applications, normalizes the data, and makes it available to threat-focused security teams for monitoring, investigations, incident response, and reporting. Endpoint Detection and Response (EDR) solutions did this for endpoint devices. But what about detection and response for SaaS applications?

Fig: CDR aggregates, normalizes, and analyzes data from SaaS applications to simplify continuous security

Obsidian CDR offers SSPM and much more

Obsidian delivers a simple yet powerful security solution for SaaS applications based on a new approach called cloud detection and response (CDR). With Obsidian’s SSPM capabilities, you can strengthen your security posture proactively. Using Obsidian, organizations can prune inactive accounts and fix common application misconfigurations to reduce risk. A lower risk profile not only reduces the chance of a costly breach, but also lowers the indirect costs of ongoing security efforts.

Fig: SSPM provides essential capabilities for SaaS security, but does not cover threat management

Obsidian goes beyond SSPM, enabling security teams to continuously monitor user activity, protect against data breaches, and detect and respond to insider threats and account compromise.

Powerful out-of-the-box threat detections, insider threat monitoring, data protection, an intuitive search interface for hunting and IR, the ability to create custom alerts, integration with endpoint detection and response solutions like CrowdStrike, and other capabilities make Obsidian the go-to solution for cloud SecOps.

Conclusion

SaaS powers the modern workplace. Rapid adoption is bringing to light the challenges in securing SaaS. Gartner has identified a new category of security solutions – SSPM – that addresses the big unmet need for configuration visibility and management in SaaS environments and it is no surprise that Gartner notes that client interest in SSPM continues to increase. 

We are honored to be recognized as a representative vendor in this emerging category. At the same time, we believe that SSPM is just the beginning of several critical capabilities that threat-focused security teams need. We invite you to read about cloud detection and response (CDR) and how it can help defend SaaS against emerging threats.