The Intersection of Enterprise SaaS Adoption and Information Security
There is a perception from the business that, if it adopts a cloudservice, the provider will take care of security. This is true to somedegree, because cloud providers are responsible for all the infrastructurethat drives SaaS applications. When using a sanctioned cloud service,users do not need to run the networking, servers, storage, firewalls,intrusion prevention systems (IPSs), distributed denial of service (DDoS),infrastructure access control and security operations centers (SOCs). WithSaaS, these security elements are \built-in," with a simple per-user,per-month billing model that enterprise SaaS applications deliver. For thelarge SaaS providers, such as Salesforce, Microsoft, IBM, Google, thebusiness can also make the entirely valid claim that these providers havea bigger and better resourced security team.
However, there are many aspects of SaaS security that most organizationsmay not know about or pay attention to. Examples of questionsorganizations may need to ask include:
- Do you have visibility into which users are sharing data, and whatdata are they sharing
- From where are users accessing SaaS services and data?
- Can you enforce policy that can prevent, restrict or detail accessfrom undesirable devices, unwanted behavior, geographic regions and IPaddresses?
- If a business wants to run a category of SaaS application (CRM,storage or productivity), how can you ensure your organization areproactively recommending one that is business-ready?
- How can I detect (and then deny) malicious actors who have accessedmy applications yet have valid user credentials?
- If your organization selects a cloud service that might not have thecompensating controls I need (encryption, tokenization or data lossprevention), how can you mitigate this?
In this webcast, we'll cover a variety of controls and considerationsrelated to SaaS security, with recommendations on how to improve thesecurity posture of your SaaS implementations.
