如何將 SaaS 管理納入身分安全計畫

The SailPoint Blog
| Kelsie Skinner | Happenings

This blog is part two in a three-part series exploring “What is SaaS Management?” In this installment, we’ll dig into the rise of SaaS and its incremental impact on identity security, and how this impacts IT teams. You can see the first installment of the series here: The Danger of SaaS Sprawl: How Unsecured Apps Compromise Your Security.

Speed vs. security. It’s the eternal struggle for every organization. How do you empower your employees by giving them the latest tools to work faster and more collaboratively while still protecting business assets? How do you drive innovation without also increasing risk?

That’s the question at the heart of SaaS Management, something every enterprise is grappling with as companies make the move to a cloud-first environment. Because, organizations are realizing that a massive increase in SaaS usage is also leading to a dramatic spike in cyberattacks. Phishing activity is up an astounding 42% over the last year, a clear sign that cybercriminals are relentlessly taking advantage of vulnerabilities found in SaaS apps and seeking to exploit missteps by careless employees.

Stolen or compromised credentials, in fact, have become the most frequent cause of data breaches as well as the most damaging, with the average breach now costing a company more than $4.7 million. This is why SaaS Management has become so critical, as it’s essential for organizations to get complete visibility into every identity across their organization. It’s the only way to have a cybersecurity program that’s truly comprehensive, because you can’t protect what you can’t see.

Enter the Maturity Model

So how can companies begin the process of surveying their SaaS landscape, evaluating risks, and determining a path forward? Here’s a model we’ve found to be pretty typical that illustrates the phases of SaaS Management maturity across four key dimensions: visibility, usage data, security, and optimization.

Moving upwards within each category, there is a clear progression from manual and sporadic processes to those that are automated and continuous. Tier 3, for example, provides a baseline for companies looking to get started with SaaS Management, with Tier 1 representing a good example of what a fully mature program would look like.

Even for organizations without an identity security solution in place, SaaS Management provides an excellent starting point since it all begins with discovery. By doing things like outlining an overall SaaS footprint, identifying application owners, and reconciling spend, enterprises can move toward total application visibility, which is the foundation of identity security.

After gaining visibility, a natural next step is assessing SaaS usage data. This includes understanding the functions of each application and then determining who in the org is using each app, how much they’re using them, and how they’re accessing them. IT teams can then use this information to shore up security (identifying risky applications or overprovisioned users) and also address issues of spend (eliminating unused licenses, inactive users, or unnecessary apps).

A deeper dive follows: determining which apps have undergone security reviews, what permissions those apps have, which ones don’t yet have forced single sign-on (SSO) authentication, and what threats might be posed to certification or regulatory compliance. Doing this level of analysis gives enterprises a real ability to strengthen security by addressing gaps in business continuity planning (BCP) and contingencies.

Setting optimization goals is where it all leads, whether that includes getting more apps behind SSO, higher app utilization rates, reduced shadow IT, 100% security approval for high-risk apps, or more stakeholder involvement in SaaS budgets. The ultimate goal, of course, is to provide an identity program that ensures security and compliance – automatically – while also giving your users maximum flexibility as SaaS needs evolve.

The SaaS Management Jump-Start

The best news about SaaS Management is that it’s easy to incorporate. For organizations with an identity security program already in place, there’s only the question of implementation. Fortunately, robust tools are available that can be integrated seamlessly with any system. IT teams will find that adding a SaaS Management module to an existing tech stack is fast and offers immediate returns.

Similarly, for companies launching an initial identity program (or for those early in their identity journey), addressing SaaS Management first makes sense as it sets up a way to take a holistic view. By starting with the task of getting maximum visibility into your SaaS environment, this can then lead to a more strategic approach overall to managing enterprise identities and better controlling access.

With that visibility achieved, organizations will quickly begin seeing substantial benefits — both to their security profile and to their bottom line. Imagine an enterprise with no software redundancies, where every app is fully visible and its usage fully optimized, and where even the potential development of a risk, breach, or toxic combination triggers an automated alert.

This is not the company of the future; it’s what smart businesses all over the world are taking advantage of today, right now. And it’s a reality that’s achievable, sustainable, and easily within reach.

Stay tuned for the final post in this series: “How SaaS Management Powers Employee Efficiency.”