The below originally appeared on the Aquia blog.
In a few weeks, Axonius will hold our inaugural federal forum, Adapt 2023. Taking place on April 13 in Washington D.C., industry leaders from the public and private sector will meet to discuss the most pressing issues facing federal IT and security teams today. Included in our lineup is Chris Hughes, CISO and co-founder at Aquia, who will be speaking on the topic of “Securing SaaS Applications” and the need for SaaS governance. Ahead of the forum, we sat down with Chris to better understand exactly why SaaS governance is such an important topic today.
Amir Ofek: Chris, two years ago, you authored an article titled, “Why You Need a SaaS Governance Plan, and What Should Be In It,” on CSO Online. In it, you wrote about how the rapid proliferation of sanctioned and unsanctioned SaaS applications presents significant security risks to nearly every organization. How so?
Chris Hughes: While SaaS adoption was already seeing tremendous growth, the introduction of the COVID pandemic and exponential increase in the adoption of remote work only accelerated SaaS use. As I mentioned in my original article in 2021, the conversation around cloud security within the industry traditionally has been incredibly IaaS-centric.
This makes sense on the surface when we consider the size of leading IaaS cloud service providers (CSPs) such as Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. However, while organizations are using on average two to three IaaS providers, they are using literally hundreds of SaaS providers and applications, especially in large complex enterprise environments. Studies I cited at the time showed that SMB’s were using over 100 SaaS applications, while large enterprises were using nearly 300 different SaaS applications.
Despite this overwhelming presence of SaaS usage, industry-wide and organizationally, nearly all of our cloud security focus and activities revolve around securing IaaS. This is increasingly coming at our own peril as well, as we see a surge in software supply chain attacks reaching over 742% increases in the last 3 years, per sources such as Sonatype. Included in those figures is software delivered as-a-service, particularly SaaS, as organizations increasingly consume their software and applications from third-party providers. We saw this manifest in situations such as the Twilio security incident, which subsequently went on to impact over 130 other organizations. Malicious actors increasingly see the software supply chain as a brittle and enticing attack surface where they can have a cascading downstream impact on software consumers, and this applies just as much software delivered as-a-service, such as SaaS.
Ofek: Okay, so where does SaaS governance come in? Why is it necessary?
Hughes: Thankfully, organizations and security leaders are waking up to the dangers of ungoverned and insecure SaaS usage and we are seeing growing interest in making use of tools such as SaaS Security Posture Management (SSPM) as well as investing resources and time in SaaS governance and security organizationally.
As I originally discussed in 2021, while cloud security is a broad domain, SaaS has some specific risks that make it unique and challenging in its own right. We know that on average less than 30% of SaaS usage is controlled directly by organizations’ IT/security teams, and often, these teams are totally oblivious to the extent of their organization’s SaaS consumption, what data resides in the SaaS providers’ environments, who has access to it, or the complex interdependencies that present risk to their organization due to SaaS integrations and utilizing SaaS as part of their core business processes and workflows.
Other complicating factors include the reality that unlike a major IaaS platform that has a standardized set of features, configurations, and capabilities, SaaS providers vary immensely and that variation is exponential due to the hundreds of SaaS applications being used in the modern organization. It is simply unrealistic and impractical to expect someone to possibly know and understand how to secure hundreds of different SaaS applications and their unique configurations and features without the use of automation and innovative SaaS security tooling.
Thankfully, since 2021, my team at Aquia Inc. has had a chance to develop experience in the unique area of SaaS governance and security by establishing and leading a SaaS Governance team in a large, complex federal agency. This program has been oriented around three key pillars, which include the activities of “Discover, Manage, and Secure.” That is discovering what SaaS is in use, establishing flexible but sufficient processes to manage the assessment and sanctioning of new SaaS applications, and ultimately securing the known SaaS footprint.
Ofek: Tell me more. What role does SaaS governance play in helping to mitigate SaaS application risks?
Hughes: As discussed by an agency leader in a recent interview, this program and activity has involved facilitating a largely distributed and remote workforce, working around current limitations of existing compliance requirements and processes, as well as leveraging innovating cloud-native technologies and capabilities to both discover and secure the agency’s usage of SaaS while not negatively impacting the business owners, staff, or mission, which is a challenging endeavor. All of these activities are occurring as part of a broader SaaS Governance program to help the agency continue to adopt cloud and SaaS as part of enabling their mission but doing so in a manner that mitigates risks to both the agency and the stakeholders they serve.
Part of that process has included working with you and the team at Axonius. You’ve provided desperately needed capabilities in terms of asset discovery, including SaaS usage as well as SaaS security and hardening to mitigate the risk of known SaaS usage by the agency.
Tools such as these are key to enabling secure SaaS consumption while not impeding the organization from utilizing the myriad of benefits that cloud adoption, including SaaS provide. Software will continue to be a focus for malicious actors and SaaS represents a core component of the software supply chain with a heavily concentrated customer/user base, and organizations failing to account for SaaS in their cloud security strategy and overall cybersecurity and risk management programs are leaving themselves open for potentially critical impacts and consequences.