Cost efficiency, scalability, accessibility, and flexibility are just a few benefits SaaS applications provide when it comes to optimizing day-to-day business operations.
But as SaaS adoption continues to skyrocket, securing SaaS applications is pretty much nowhere to be found on the list of security professionals’ priorities these days. Yet, SaaS applications with their unique configuration and user management options are already having a profound impact on an organization’s security posture.
We at Axonius talk to security and IT professionals every day about the challenges related to SaaS adoption. Some of the most cited include:
Still, probably the biggest concern is as plain as: “where do I even start?”
These professionals are also likely asking, “with all the complexity around SaaS and hundreds of SaaS apps in use, should I focus on business-critical apps? Or on the shadow SaaS discovery?”
And we get it. With SaaS-related security risks no longer being hypothetical, staying ahead of them is not an easy task. The starting point here could be recognizing SaaS applications for what they are — an essential part of the organization’s attack surface.
The “classic” view of an attack surface as external-facing assets is still important, but it doesn’t reflect the true risk organizations face today.
The complexity of the SaaS environment, combined with the sensitive nature of the data stored in and shared between various SaaS applications, make them a clear and lucrative target. Even more concerning is the fact that by the design of any SaaS app environment, a security breach of any single application may have major implications across the entire SaaS app stack.
Think of a myriad of settings that should be correctly configured across just those core business SaaS applications like Google Workspace, Zoom, Salesforce, Slack, Microsoft 365, or Workday. Add to that the vulnerabilities or potential security gaps vendors continue to uncover. Microsoft 365 alone disclosed almost 150 vulnerabilities just in the last two years. It’s even more complicated for IT and security teams when their challenge is to understand what SaaS apps are even being used across their organization.
The Okta breach in early 2022 became the clearest evidence of the potential SaaS security event fallout. It showed how easily the “blast radius” goes way beyond one SaaS app compromising so many others. And it’s not just Okta. We’ve also witnessed other major SaaS-related security incidents related to applications like GitHub, LastPass, and Atlassian in 2022, with millions of users potentially being affected.
“SaaS security misconfigurations have been here since SaaS was introduced and now the attacks exploiting those misconfigurations are on the rise. SaaS is part of your attack surface,” said- Jerich Beason, CapitalOne Commercial Bank CISO and Axonius advisor in a LinkedIn post. “This is a huge undertaking to address but there is no better time than yesterday. Tomorrow the hole will be wider and deeper. … We can’t leave SaaS out of the conversation anymore when we're talking about securing our attack surface.”
SaaS attack surface management is a brand new way to look at addressing foundational challenges around SaaS applications, like gaining full visibility into the SaaS application landscape, securing sensitive data, or staying compliant with federal and industry regulators.
It aims to solve operational and security challenges of SaaS across multiple layers. First, the breadth of SaaS provides complete and actionable visibility into all known and unknown SaaS applications, as well as into the app-to-app connectivity.
Enhanced by the discovery insights, SaaS attack surface management addresses the depth (the security of those SaaS apps). It does so by uncovering and mitigating various security risks, such as user access policies, password policies, and more, that put sensitive customer and business data at risk.
Finally, with SaaS being a part of the overall attack surface, it’s important that SaaS attack surface management helps contextualize the data, and prioritize what really needs to be acted on across the entire SaaS app stack. As a result, this will ensure further correlation across SaaS apps, cloud services, devices, and users in the organization’s environment streamlining efforts to reduce that attack surface.
By adopting this new approach to SaaS, Axonius SaaS Management lets customers address both the security risk and operational challenges of SaaS. Via a seamless, non-intrusive deployment, by delivering actionable insights from day one, Axonius SaaS Management enables customers to
Axonius SaaS Management, combined with Cybersecurity Asset Management, provides a comprehensive solution that unifies and provides valuable data insights across SaaS apps, cloud services, devices, and users. Customers can easily and effectively control complexity across their entire IT environment.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010