If you work on the web, chances are you've built more than a few accounts over the years that you've likely forgotten about - do you remember your Myspace password? Or even what Yahoo/Hotmail email address you were using then? How many Trello accounts did you start before you really got onboard? How many Google accounts do you have? What about that trial Salesforce account from 2006? Constant Contact? Flickr?
Now take that general tendency to try a lot of things when seeking solutions to the various problems of our digital life, turn around to look at our business life, and then look across the company. There are so many opportunities for pervasive digital links that you absolutely must make it a priority to get your SaaS accounts in order.
Here are a few big reasons that you should explore the security of your SaaS situation STAT:
- Phantom IT - What SaaS products are being used by your company or on your company's "behalf" that are not properly managed or monitored by IT?
- Questionable Access - What SaaS products, known or unknown, have access to sensitive, or even rote company data?
- Effective Employee Offboarding - What SaaS products to former employees still have access to? This isn't the boy scouts - you hired them for the immediate and long term potential ROI of their job - you can't risk losing any of that IP.
- Money - What SaaS products are billing you for services that are no longer being monitored (or generating ROI)
Those are good reasons, and I'm sure your motivated to start sussing out suspicious SaaS. These secrets will give you the angles to explore for success. Let's get started!
The Secrets of SaaS Security:
Security isn't all about passwords and cryptography, privileges and procedures. In fact, the more digital our businesses become, the more we have to lose - someone can scrape original content and rebrand it; someone can spoof customers; someone can steal bespoke analytics and create a whole new business. Your business is all about building and retaining value, and if you have something that has value, you can be sure someone is working on a way to take it from you.
1. SaaS Security is probably better than what you had
Despite initial fears about SaaS security, it turns out there are a number of reasons why your data and IP is potentially safer in the cloud - the software is constantly being updated with redundant instances in secure data centers spread around the globe. There are likely automatic backups, and most credible vendors go through third party audits.
I always equate this with canned beer - we often think of it as a lesser option, but the truth is that beer in a can has less exposure to normal air and light both of which can damage beer (most famously the skunky aromas you'll encounter with beer in green or clear bottles, but there are more, many more) and is therefore a better solution in most cases.
2. Your users may be the weak link in the security chain
Phantom IT is a real problem. A McAfee survey from 2013 said "eighty per cent of employees are using non-approved SaaS." Even though these non -sanctioned products mostly represent employee's desires to get something done more efficiently, they do present a very real security hole through which your IP can drain. Not to mention the potential for them to lose control of a service that is embedded behind your firewall.
3. SSO (Single Sign-On) is a good start, but not enough
Identity management is a mess. Even if you've brought your business very close to a single-sign on situation, you will find that there are still some apps that don't allow for easy access to the functionality you desire, so you may have shared admin or team logins providing a potential end-run around protocols.
4. SaaS companies haven't made management tools a priority
Not their fault necessarily - the pressures of growing a business put most of the development pressure on new features, with reporting and management tools taking a back seat in the priority scale. This does leave an opportunity for robust reporting SaaS and management SaaS.
A Couple of Suggestions for Maximizing Your SaaS Security:
1. Make a Policy
Check out How to Create a Saas Governance Policy, and create a policy that works for your business. Remember to make it inclusive and not exclusive!
2. Get a rock-solid SLA
As today's Amazon S3 outage enters its second hour, many of us who use programs that rely on the service have a gentle reminder of how mission critical even a note-taking app can be. A more important factor than raw uptime might be - how long until security patches are implemented after public disclosure of a flaw?
3. Insist on a transparent product development regimen
Many SaaS providers start out in gunfighter mode, where they create functionality on the fly and squash bugs quickly. But as their business grows they enter a more conservative phase - necessarily so. You want to know what is on their roadmap so you can easily tell where your needs fall on their timeline. More important than that, from a security standpoint, is that you need to know when they are working on something that is mission critical so you can maintain vigilance over your IP.
SaaS has provided several opportunities for innovation in the modern workplace, but has brought with it some security concerns. Make sure you know what SaaS your company is using, take advantage of the improvements in security it can bring, and start trying to get a handle on your Phantom IT.