Introduction to Software as a Service (SaaS)
With the rapid proliferation of rogue cloud applications, it becomes pertinent that new tools are implemented to protect corporate data on the cloud. The main focus is now on Shadow IT, and the growing need for flexibility has put many employee activities off the IT security department’s radar. Employees in organizations use cloud-based apps mostly categorized as Software-as-a-Service i.e., SaaS Security. In a SaaS architecture, the company’s data & applications reside on third-party infrastructure, so a traditional security approach is not enough, we need to look for more advanced solutions like CASB for SaaS security.
SaaS Security At Risk In Organizations
In any organization, there are applications like Microsoft Office 365 and Google Docs, etc., which are sanctioned by the IT department after due identification, consultation, and procurement. Then there is that unsanctioned app, but it can still be there, which is used for communication purposes like Skype and Yahoo IM, etc. Then there are the unsanctioned ones that pose a severe risk. Other departments download these without the consent of the IT department.
These may be used by the employees to boost their productivity levels at the office, but are unaware of the security threats they pose. These have very weak passwords, or the authentication in most cases is simply non-existent. The best solution to SaaS security would be to explain to the concerned people about the security risks and think of some other apps as effective but more secure.
The Need For SaaS Security
When organizations cannot restrict access to users connected through Virtual Private Networks (VPN), then the employees can access sensitive information on public PCs or unsafe Wi-Fi networks. Any organization’s job is to identify such risky systems and deploy a Single Sign-On (SSO) solution to protect their corporate data. High-risk data can be categorized as HR records, customer data, health data, financial data, and critical business information. Even the DNS, content delivery networks, data center management portals, and phone systems that provide essential services to businesses need to be protected from unauthorized access.
CASB for SaaS Security
The single most effective approach to gaining control is by using security services provided by Cloud Access Security Brokers (CASBs). CASBs effectively mediate data between these SaaS applications and the end-user, thus restricting access and reporting any risky behaviors. CASBs either require a client installed on the device or the network between the SaaS app and the user. It helps to intercept the traffic and take appropriate action.
A simple example is when a user needs to store a sensitive code like a social security number. The proxy or the client identifies it as an essential operation and either prevents the user from completing this activity while storing it. Here the access denial is not a foolproof method since the CASB is out of the loop when the employee uses any other machine to log in outside the ambit of the client-installed device.
The Application Program Interface (API) in any CASB solution does not require installing a client application or proxy. Here, rules are set for identifying users and a host of other parameters so that access can be restricted and controlled. CASB would send an email to the user, saying that the document may not be suitable to share it outside the organization. Then there is the API with real-time capabilities, which alerts the admin when there is unauthorized access.
The best approach to secure sensitive data in an organization is to use a combination of API, endpoint, and proxy, depending upon the situation. The security needs of organizations vary, and the requirements of each department also vary. So it is better to chalk out a plan and identify the areas where CASB has to be deployed. The next step would be to discuss your chosen CASB solution with your cloud security provider and have a customized plan using a combination of Data Loss Prevention (DLP) techniques that will gel very well with the security requirements of your organization.