Security Guidance
6 minutes

Pure Storage on Launching a Corporate SaaS Security Program

As organizations increasingly rely on SaaS applications to conduct business the importance of a thorough SaaS security program cannot be overstated for protecting the business and its sensitive data. Over 30% of business-critical data now resides in SaaS, and this is only expected to increase with the adoption of SaaS rapidly accelerating. It was for this exact reason that Pure Storage – the IT pioneer that delivers the world’s most advanced data storage technology and services – came to Obsidian with a clear objective they needed help solving: securing data in their critical SaaS applications. 

I sat down with the Pure Storage SaaS Security Lead, Hammad Yacoob, to learn more about what drove their initiative, how they’ve achieved success, and the lessons they’ve learned in the process.

The Urgency of Addressing SaaS Security

Like most businesses today, Pure Storage has hundreds of individual SaaS applications in its environment for a variety of specific business productivity functions. For Hammad, the need to prioritize securing these applications is obvious; “If it hasn’t already migrated to SaaS, it will be migrating to SaaS and sensitive data is migrating along with it.”

Being at the forefront of leveraging technology to enable world-class customer experience, Pure Storage wanted its SaaS Security program to ensure a few critical outcomes:

  1. The ability to ensure accountability of application owners across the organization. 
  2. Customer data is continuously protected in accordance with internal and regulatory requirements.
  3. An accessible, actionable, and scalable way to prevent and detect SaaS threats.

“To even audit just one of our critical applications manually would take weeks of time, and we have over 400 of them. Obsidian not only gives us centralized visibility but also provides insights into key areas that we simply don’t have without it.” 

Securing sensitive corporate data and ensuring compliance with industry regulations are critical considerations for any company adopting SaaS. 

Core Components of an Impactful Program

  1. Establish a security standard for application owners: Developing and communicating clear security policies and guidelines is essential for creating a secure SaaS environment. These policies should address aspects such as SSO or MFA requirements, access controls, least privilege, and acceptable use of SaaS applications. Employees must be educated on these policies and reminded of their responsibilities regarding SaaS security. Establishing and regularly auditing clear guidelines help set expectations and foster a culture of security awareness throughout the organization.
  1. Comply with regulatory requirements: All organizations need to comply with some combination of internal standards, regulatory frameworks, and data protection laws. Ensuring that your SaaS security program aligns with these requirements can get complicated quickly, as regulations may differ across jurisdictions. Organizations must navigate these complexities and incorporate necessary controls to measure, maintain, and prove compliance.
  1. Continually monitor and analyze SaaS activity: Implementing continuous monitoring and analysis of SaaS activity is crucial for detecting any suspicious or unauthorized behavior prior to sensitive data exfiltration. To do so, security teams need a complete understanding of which users and integrations are accessing their environment, what they’re doing, and when they’re behaving in a risky, unusual, or malicious way.

A Word to the Wise: Challenges to Consider

Before embarking on your SaaS security journey, Hammad recommends thinking through a handful of complexities that you will undoubtedly need to address when it comes to SaaS: 

  1. User adoption and resistance: Introducing new security measures or restrictions can sometimes face resistance from employees who don’t understand them or perceive them as hindrances to their productivity. “Your SaaS Security Program is only as strong as the level of commitment you get from your application owners.”

    Remedy: User adoption of security practices requires effective communication, training, and ongoing support to ensure compliance. A well-established security standard can help ensure that. It’s also crucial to have an abstraction layer that connects app owners, security personnel, and governance teams and aligns them in a shared goal: deploying SaaS apps in a secure and compliant way. Obsidian acts as this common ground for Pure Storage. 
  1. Fractured and incomplete visibility: Organizations often use multiple SaaS applications from different providers, each with its own security protocols and features. Coordinating and managing security governance across various SaaS solutions is complex and time-consuming when done manually. Decentralized control and lack of oversight make it difficult to establish a centralized program, leaving you vulnerable to security gaps.

    Remedy: Hammad recommends working with an SSPM provider for much-needed expertise and a scalable solution to ensure governance, risk, and compliance across your entire SaaS infrastructure. “Without Obsidian we would have an unsustainable amount of manual work and a huge lack of visibility.”
  1. The evolving threat landscape and third-party integration risk: SaaS applications are designed to be interconnected, creating a seamless user experience with data synchronization between multiple services. However, integrating numerous third-party applications creates an elaborate web of shared data that is being actively targeted by bad actors. Third-party integration management is becoming a complex exercise in SaaS risk analysis and continuous threat management.

    Remedy: Pure Storage leverages Obsidian for visibility into its integrations across the entire SaaS estate. Allowing them to automatically remediate SaaS third-party integration threats in real time via centrally defined security policies. “Prior to Obsidian, we had no way to validate what integrations we have, how they are being used, what permissions they are asking for, and who is using them.“

By addressing these difficulties proactively like Pure Storage has done, organizations can establish a solid and resilient SaaS security program that safeguards their digital assets.

Closing Recommendations for Ensuring Success

As we wrapped our conversation Hammad provided some closing advice: as this unique space continues to evolve, choose a SaaS security solution that you can partner with strategically to execute your SaaS Security Program. Leveraging the right technology will provide a complete understanding of your entire SaaS environment empowering you to proactively minimize risk, ensure compliance, and promptly identify threats in a scalable way.

“When we first set out to solve this problem, we just wanted a tool to help monitor posture. As we learned more about the space and Obsidian’s capabilities, it was no longer that simple. They became the obvious choice for us because of the depth in context and insights they provide across all critical areas of our SaaS ecosystem.”

Pure Storage is leading the way for forward-thinking organizations that understand the unique but substantial security and governance challenges posed by their SaaS ecosystem.

Get started on your SaaS Security journey today with Obsidian’s SaaS Security Snapshot – our complimentary risk assessment program.