SaaS applications pose a significant security challenge. You do not necessarily want to clamp down on their use because they have become a valuable tool for many of your company’s employees. Using cloud storage applications such as Box to upload a few files or using collaboration tools such as Microsoft Office 365 to create documents is an important part of their everyday routine. On the other hand, you cannot allow them to proliferate without control because they will expose your organization to potentially disastrous security and compliance risks, including data leakage and the insertion and distribution of malware.
So, how do you gain control of SaaS usage in your organization? Start by understanding where you may be exposed. Then you can deploy technologies to fix your vulnerabilities and protect the gaps. To help you get started, we’ve identified six of the biggest SaaS security challenges you must address—sooner rather than later. Here they are:
Challenge No. 1—SaaS Usage Visibility and Control
Once data has left the network perimeter, you will have a hard time getting visibility into SaaS applications and controlling their use. So you want to take preventative action. Start by identifying which SaaS applications should be used and which behaviors you will allow within each of those applications. Make a clear delineation between sanctioned and unsanctioned applications. If you want to safely enable “tolerated” applications that can’t be sanctioned, make sure your security products give you the flexibility to exert granular control and policy management.
Challenge No. 2—Data Exposure Visibility
With SaaS usage defined and controlled with granular policy, data will be moving to applications that your organization has sanctioned. However, when the data reaches a cloud service it resides within the SaaS application and is no longer visible to your network perimeter. This is a potential blind spot. You need products that give you additional visibility without being in-line for a deep understanding of users, the data they have shared and how they have shared it.
Challenge No. 3—Contextual Control of Data Exposure
Data in the cloud can be either structured or unstructured. Both types of data can put you at risk. To properly protect data in the cloud and ensure regulatory compliance for sensitive data, you need security tools that enable you to define granular, context-aware policy controls. Make sure you can drive enforcement and quarantine users and data before a violation occurs.
Challenge No. 4—Threat Prevention
Many SaaS applications automatically synchronize files with users. Also, many employees may use SaaS applications to share data with individuals outside your organization’s control. These behaviors create new insertion points for malware. To prevent these threats, you need a security solution that protects your sanctioned SaaS applications from known and unknown malware threats and exploits—regardless of the source of the malicious file.
Challenge No. 5—Risk Prevention (Not Just Response)
Threat and data exposure protections should not be an in-line function only looking at future events (i.e. like a traditional firewall). Instead, you need to be able to look back at all previous data and shares in your sanctioned SaaS applications. You need to capture events that took place even before the policy was put in place. This way, data exposure and threat risks are caught no matter when the occurred.
Challenge No. 6—Preserving Performance
SaaS applications are popular because they are convenient, easy to use and fast. If your security solution diminishes the user experience, you run the risk of driving users to an unsanctioned application. You don’t want to affect latency or bandwidth requirements for sanctioned SaaS applications. Look for a cloud-based security solution that doesn’t require network configuration changes or inline deployment. Make sure you can also support native applications on mobile devices so users are not limited to only using Web-based access on their devices.
As we talk to customers, we’re finding that getting SaaS applications under control is one of the most important security concerns of the cloud era. You need the right set of products to gain constant visibility, control and protection of your applications and data at all times. The Palo Alto Networks Next-Generation Security Platform was designed specifically to meet these challenges. You can identify SaaS applications with the Next-Generation Firewall; extend protection into the cloud with Aperture, and protect against known and unknown threats with the WildFire threat intelligence service.
For more information on how you can find, control and protect SaaS usage in your organization, download a free copy of our new book, Securing SaaS for Dummies.
[Palo Alto Networks Research Center]