This blog is reposted from an article originally published in September 2022 by Tom Croll on Medium.
SaaS security posture management (SSPM) technologies are evolving rapidly. Advanced features such as third-party integration controls, SaaS-to-SaaS interactivity monitoring and threat management have transformed SSPM tools into powerful standalone security suites, arming enterprises with deep visibility and continuous control enforcement of increasingly complex and interconnected SaaS environments.
In 2020, we began to see a new wave of tools designed to manage the overall security posture of SaaS applications. A handful of startup vendors aimed to deliver more than traditional SaaS management platforms. They not only wanted to manage, provision and gather metrics, but plug the gaping security holes left by the widespread, rapid adoption of enterprise SaaS.
Established cloud access security broker (CASB) products attempt to protect cloud services using complex network proxies, aiming to monitor increasingly diverse traffic across entire enterprise networks. CASB implementation and support requires multiple skilled operators to configure and monitor their usage. However, these tools remain limited in their ability to provide sufficient behavioural analysis and monitoring of SaaS-to-SaaS interactions.
SSPM tools aimed to address this issue by continuously monitoring user behaviour, configuration and privileges out of the box without the need for proxy management and complex deployments. SSPM wasn’t just an improved SaaS management tool — it was redolent of CSPM for SaaS. Therefore, a new market emerged and the term SaaS security posture management was born.
CSPM tools were once noisy configuration monitors that detected anomalies without providing any useful context, generating false positives and overwhelming torrents of alerts. However, the latest advancements in CSPM combine multiple points of telemetry and graph databases to give quantifiable risk assessments across sprawling IaaS and PaaS estates. Organisations can now gain a continuous view of overall risk exposure and receive prioritised, actionable alerts that reduce mean time to remediation (MTTR) and lessen the strain on stretched security teams.
So it has been for the evolution of SSPM. Fierce competition is driving innovation, leading vendors to move beyond simple posture management to include features such as monitoring of SaaS-to-SaaS interconnectivity, third-party tool integrations and threat detection, providing a consolidated view of risk exposure across complex, interconnected SaaS landscapes.
However, unlike CSPM, where multiple security standards are available for the handful of major IaaS and PaaS providers, SSPM must deliver security guidance for an exponentially growing landscape of enterprise SaaS platforms. As a result, leading vendors use normalised data from multiple sources, including anonymised telemetry, derived from hundreds of existing deployments. These advances are driving the evolution of SSPM tools to provide intelligent alerts and opinionated recommendations based on real world data. By drawing from these constantly evolving data sources, advanced SSPM tools can set continuously updated best practices across hundreds of SaaS applications and provide effective threat management capabilities.
CASB versus SSPM
When SSPM was first introduced to my research in 2020, I advised customers to demand SSPM functionality from their existing CASB/SASE vendors. While this advice is still valid for existing CASB customers, recent advances have changed the way I think about SaaS protection. I now advise clients to start with SSPM and work backwards to more expensive, resource intensive platforms.
CASB vendors typically charge significant extra fees to integrate with each SaaS application, while failing to provide an integrated overall view of SaaS behaviour. They can monitor access to SaaS and give individual risk assessments but remain largely blind to third-party integrations and SaaS interconnectivity, leaving organisations exposed to the risk of data loss.
As sensitive information is increasingly stored in SaaS applications, data loss protection (DLP) is no longer a problem of preventing data from leaving the corporate network. DLP is fast becoming a problem of preventing sensitive information leaving sanctioned SaaS applications, making monitoring of SaaS interconnections vital to detect and prevent data exfiltration.
CASB and SWG technologies were originally designed to address the former use case, proxying traffic across the corporate network, identifying data exfiltration and shadow IT. Many have advanced to cope with myriad use cases, however this has resulted in increased complexity and cost. These high maintenance portfolios of tools are unsuitable for organisations with limited resources for implementation and support.
Conversely, SSPM tools can bring visibility and insights to complex SaaS interconnectivity out of the box (fig. 1). While not covering every available SaaS application, SSPM tools can now integrate with dozens of the most widely used platforms, protecting sensitive data by alerting on insecure configurations, identifying anomalous behaviour and providing actionable threat management advice. To reduce risk, mature organisations should restrict the use of obscure SaaS applications and identify core platforms to sanction for processing and storage of sensitive data. This approach simplifies governance, provides clear guidance and allows our DLP programmes to use enhanced tooling to identify and control sensitive corporate information.
Release management has evolved to become SaaS supply chain risk
Before the adoption of SaaS, we had control of enterprise application deployment. Security teams could study release notes and test new software for months in sandboxes before introducing a phased rollout across the IT estate. This wasn’t a great model, slowing down business output and creating more work than most organisations could handle, but it was a control we simply gave up when we moved to SaaS. Now we must outsource trust to third party vendors, often using unmanageable, point-in-time questionnaires which create even more work and are ill-suited for continuously monitoring risk.
When changes are made to SaaS applications, we might get a pop up message asking you to try a new integration or switch to a new dashboard. However, most features are introduced silently and without any way to assess their impact on overall risk posture.
SSPM tools can help provide this visibility by constantly crawling through SaaS applications, looking for new functionality or features that could introduce risk, such as the ability for users to share files externally or the introduction of an insecure web form. Not only can this inform overall risk posture but it also allows us to proactively respond to threats by identifying newly exposed data or recommending measures to reduce risk, such as user privilege trimming.
As more and more organisations rely on SaaS vendors for business critical functions, 3rd party supply chain management is becoming a complex exercise in SaaS risk analysis and continuous threat management.
SSPM has evolved to address this business-critical risk and can now provide a level of insight and control to help businesses maintain real-time risk assessments, identify anomalous behaviour and provide threat detection and response to protect sensitive data and limit the impact of security breaches.
SSPM’s evolution to a standalone SaaS security platform
Continuous management of hundreds of SaaS applications has necessitated the use of complex tooling and resource intensive governance programmes that are either ineffective or simply not practical for most enterprises. Organisations that have not already implemented a CASB technology are unlikely to do so. Some who have reported limited ROI due to high overheads in support and overall licensing, implementation and support costs. Therefore a new approach is needed.
Organisations should:
- Define specific security objectives for SaaS threat management.
- Identify 5 to 10 core SaaS applications and only sanction those with strong security integration capabilities for protecting sensitive corporate information.
- Use automated tooling to enforce controls and minimise risk across this focused SaaS landscape.
- Understand the strengths and weaknesses of each SSPM vendor and choose the appropriate vendor to meet your specific control objectives.
- Prioritise tools that provide robust threat detection and response capabilities over simple configuration and posture management (see Obsidian’s approach to SaaS protection).
Introducing strong controls for selected core applications will not address all use cases, such as sensitive data already stored on existing endpoints or in unsanctioned SaaS. However, they can be deployed in a matter of days, with little effort from the organisation and will have an immediate impact, lowering the risk of data leakage and overall enterprise SaaS usage.
Defining your organisation’s specific SaaS control objectives and choosing the most effective tools to meet them is the most important step towards this goal. Visibility of SaaS interconnectivity and third-party integrations is essential for protecting sensitive information and preventing account compromise. Automated tooling is essential to monitor changes to risk posture, identify threats and respond to compromise early in the kill chain.
The evolution of SaaS security posture management tools has driven the introduction of advanced threat management features, SaaS interconnectivity monitoring, and control of third-party tool integrations. SSPM capabilities are now essential components of any SaaS security strategy, protecting sensitive corporate data, detecting and responding to compromise and reducing the organisation’s exposure to compliance failure, account compromise and business outages.