India’s SaaS ecosystem is exploding, but critical data security remains a concern

It is no news that software as a service (SaaS) applications and associated ecosystems are exploding as everyone wants to use best-in-class applications, which are always available and accessible from anywhere. SaaS applications need considerably little time to set up, needs no maintenance and no upfront investment to develop software and the infrastructure.

With payment models such as pay-as-you-go, organisations have the liberty to utilise the service according to their specific requirement and pay only for a specific amount of usage. Such attractions have led more and more organisations to embrace SaaS applications. It is no surprise that SaaS and associated ecosystems are exploding and thriving with all the conveniences they have to offer.

The problem of user and access explosion

The biggest attraction of SaaS and collaboration applications is the accessibility and collaboration at a global scale. If not managed well, this can also prove to be the biggest problem for organisations.

Organisations can hire many employees and contractors globally as well as have a lot of partners with whom they collaborate on a regular basis. These employees and contractors can be on-boarded with minimum effort, provide them the required access, and immediately get them engaged and working together without any limitations of borders and boundaries.

However, most of these organisations have no clear off-boarding process once the required work is completed. Even if these processes are in place, it is not enforced correctly. This coupled with the fast employee churn rate where the people who originally provided permissions are no longer with the organisation creates a complex and difficult to fix exposure risks.

So, on one hand we have SaaS application developers making every effort to stand out from the competition and enhancing the user experience by playing the best card to make collaboration as frictionless as possible, and on the other hand, it leaves a lot of room for discretion for the organisation’s security admin’s point of view hoisting their and their customer data. SaaS application developers put every effort into making these applications more collaborative and think twice before adding control mechanisms on collaboration capabilities such as guest user access.

As the famous quote in Spider Man says, “with great powers comes great responsibility”, and that’s exactly what entails this enhanced mobility and portability of collaboration which SaaS brings to the table, a widespread critical data security concern. Project owners, custodians, and assigned users may change due to various reasons. This leads to a complex web of access rights assignment, modification, and revocation overhead that becomes next to impossible to eliminate.

At the end of the day, organisational assets, in terms of confidential information and data, are left with users who no longer require those, which creates a nightmare for most data controllers and data processors and result in compliance violations like GDPR.

How can this be avoided?

From a bird’s eye view, an organisation could employ the following three-pronged approach to tackle this.

1.    Controlling and managing user access

2.    Information security program

3.    Training and awareness

Controlling and managing user access

The first part of the approach is controlling and managing user access. In order to achieve this, organisations need to start by creating appropriate access control policies, adopting role-based access control and finally implement access management tools.

a) Establishing clear access control policies

The foundation of any good implementation is a strong and clear definition of access control policies and user management. These needs to be reviewed and tuned periodically.

b) Implement access management tools

It is of utmost importance that the IT teams have the visibility of which types of users engage with their corporate environment. Accurate identification of external and internal users is the key to implementing effective access management strategies.

This, coupled with behaviour analytics and user anomaly can influence decisions with reasonable accuracy. This is clearly a herculean task and only through the use of right tools and the power of machine learning can this feat be efficiently achieved.

c) Implement role-based access control (RBAC)

This is the principle that needs to be implemented to successfully deploy the roles and subsequently implement the users’ access requirements, which were identified during the development of the Access Control Policies.

Unlike assigning privileges and permission to individual users, organisations can define roles with privilege and assign the role to users or user groups, which would then inherit the privileges.

This eliminates the need to modify the attributes of each individual user when trying to change the permissions.

Information Security Program

The Information Security Program needs to be further strengthened with periodic security audits that evaluate the implemented security controls are effectively being operated. During these audits and reviews, it is essential to evaluate the access control and user management policies, role-based access control implementations and any other information security related policies and procedures.

Engaging users in awareness and training

People being the weakest link in any Information Security programme, it is essential to make them aware of the dangers and risks to expect. Therefore, regular and periodic awareness sessions help to ensure the users are sufficiently knowledgeable about the risks, so that they can take necessary precautions.

Conclusion

The adoption of SaaS applications has been constantly increasing, leading to a chaotic development in transferring and storing of sensitive business information. While SaaS applications make it easy to share information, the booming number of applications creates a sticky situation that puts corporate confidential data at risk. IT teams find it challenging to constantly monitor unsanctioned applications as there is often a lack of visibility and awareness of the applications being used in the environment.

An ideal SaaS security solution should be easy to implement and manage, without adding complexity or costs for infrastructure and other security resources. By incorporating cutting-edge technologies such as machine learning and AI, traditional methods of managing and securing SaaS environments could be immensely improved. This can help make decisions on the fly, with minimal human intervention.