SaaS series - Cyberhaven: Curbing shadow SaaS connectivity

This is a guest post for the Computer Weekly Developer Network written by Chris Hodson in his role as CSO at Cyberhaven – the company is known for its technology that detects and protects company data from insider threats.

Hodson writes as follows…

SaaS connectivity is core to business and has undoubtedly brought about massive change in the enterprise in the last two decades.

It’s helped organisations make giant leaps in productivity due to cloud-hosted applications, like Google Suite, Salesforce and many, many more.

SaaS marketplaces

Interconnected SaaS marketplaces have dramatically accelerated the time to market for industrialising an application or service outside and inside a company.

It also reduced operational costs of hosting on-prem solutions of yesteryear. SaaS costs can be easily forecasted as they offer repeatable, known, monthly/annual costs and can flex up and down based on usage volumes or user accounts. Plus, it’s not predicated on the need for new hardware (infrastructure or network).

But SaaS has also brought out hidden costs in the way of data security.

The SaaS software supply chain relies on connectivity between internal and external systems and their third parties. 

Just think of the many customers and technology vendors any given company interacts with, which begs the question: do you know if those vendors are secure? Are they treating your data as you treat your own?

Vendor questionnaires?

Let’s ask ourselves, when it comes to the subject of vendor questionnaires—are they enough to secure SaaS connectivity?

I would argue, no.

In order to establish trust with third-party service providers, we need to gain a comprehensive understanding of their code development procedures, incident response mechanisms, privacy protocols and overarching internal security measures. 

For example: 

  • What datacentres and cloud providers do vendors host their data in? 
  • How and where do they develop application code?
  • In the event of a breach, how and when does the provider notify the customer?
  • How is the third-party supplier doing their vendor due diligence?

Often a company will have a security questionnaire to get at some of these answers, but do they work? Somewhat. But just sending out the questionnaire is not enough. They should be supported with contextual discussions (with the provider) where possible. 

Yes/No limitation

Also, too many vendor questionnaires are written in a ‘yes/no’ format.

A few common questions include:

  • Does your company have a Secure Software Development Lifecycle (SSDLC)? A much more powerful question would be to ask the vendor to explain the methodologies, tooling and people associated with their SSDLC. 
  • Do you conduct annual penetration tests? While this provides some level of assurance security is funded at the third-party, a better question probes on the methodology used and how the company scopes their tests. 

There are other methods that provide better application security assurance data too. For example, knowing how many code repositories are in scope for the program, or getting information regarding the company’s application security strategy might give more insight. 

Lastly, be reasonable – don’t ask vendors to complete processes that your team wouldn’t complete.  The objective of vendor due diligence is to establish that the provider has a set of controls commensurate with the information (of yours) that they will be storing or processing. For example, a 500-question spreadsheet for a company hosting public information is probably overkill.

So when it comes to security operations for SaaS, who is responsible?’

CSO at Cyberhaven: Chris Hodson.

Simple, the third-party is responsible. But in order to ensure your data is being handled accordingly, you need to rethink traditional vulnerability management and incident response processes.

You need first ensuring that these external entities have robust processes and technical controls to identify software anomalies and rectify platform misconfigurations. 

Sensitivity, volume & frequency

You need to understand the sensitivity, volume and frequency of data transacted to and from SaaS applications.

Equally crucial is inventory management. Every organization must diligently maintain a record of all the SaaS applications they use. This requires seamless collaboration between the security, IT, as well as finance and procurement teams. 

It’s also critical to classify the sensitivity of the data that a SaaS provider handles. Depending on the situation and regulatory implications, you may require a tailored vulnerability management and incident response timeline to effectively respond and mitigate risk.

Data Center
Data Management