By 2021, 73% of organizations will be using all or mostly SaaS solutions. Companies aren’t struggling to adopt SaaS applications, but they are struggling to secure them.

In our webinar on ‘How to secure SaaS applications when everyone is working remotely’, VP of Product Strategy at Wandera, Michael Covington, discusses why existing security technologies are not effective in protecting SaaS applications and what companies can do to mitigate risk.

Business apps are no longer locked in the data center [1:36]

It is no surprise that the majority of workloads have already moved to the cloud. Every leading analyst organization has been covering this for the better part of five years and we’ve seen organizations across pretty much all verticals and every company size really embrace the power of the cloud.

Applications didn’t just move to private cloud or even public cloud, they moved to SaaS.

Applications are no longer locked in the data center, which is great for accessibility but comes with security implications. As a result, we’re now seeing organizations rethink the way they provide access to applications and the way they stand up security services in front of those applications.

The main focus of this webinar is around the adoption of Zero Trust. We’re seeing that 72% of organizations are assessing Zero Trust technologies, primarily around access because they know the appliances they’ve built up over the years in the data center are no longer effective in protecting applications that have moved to the cloud.

The security perimeter separates assets from threats [3:53]

It’s important to look at the progression of perimeter technologies. We often think of the perimeter as a very physical thing. For decades, organizations have invested heavily in fortifying their data centers and ensuring their campuses are a safe place to work securely, but we know times have changed.

With applications moving out of the data center into the cloud, organizations need to rethink their approach to building a new type of perimeter to protect those applications. We saw the transition to a network-oriented mindset where legacy VPN was used to provide access to applications that were outside of the perimeter, maybe sitting in private cloud or at a branch office. What they needed to do was provide secure connectivity secure between applications and workers.

Read more: SaaS Security 101 for SMBs

As time moved on, it was no longer just the applications that sat outside of the campus but also the workers, identity became the new perimeter. The concept of a centralized identity for every user, as well as the groups they belong to, became the way of determining who could access what assets.

It is clear that security is becoming less dependent on physical barriers as our adoption of virtual cloud-based technologies progresses as well as our use of broader device types that operate outside of the corporate campus.

Establishing an identity perimeter is a good start [6:14]

It is important to emphasize that the concept of identity being the new perimeter is a fantastic place to start. If you look at a maturity model of the adoption of Zero Trust, this is often cited as the foundation.

Identity is complicated; you have on-premises identities and cloud-based identities. There’s been a move over the last several years to centralize identity to cloud-based platforms. Ideally, what these solutions do is authorize users, verify identity, and provide access to applications.

The problem with relying exclusively on identity is that SaaS applications are typically exposed to the internet, so it is very easy for an attacker to go after those applications. If your applications are directly connected to the internet, anybody can knock on the door and start trying to find a way in. All they have to do is successfully impersonate an authorized user and they’ll have access to the critical information your organization is hosting in the cloud.

Identity is not enough [8:03]

Time and time again, we’ve seen scenarios where identity is not enough with account takeovers being a persistent problem.

Account takeovers are an identity attack where hackers gain unauthorized access to user accounts to steal something sensitive. Whether it is credentials to access another system, confidential information that belongs to the business or potentially even money.

It is often phishing and social engineering attacks that lead to these account takeovers.

Identity-based solutions are great for modernizing your security, especially if you can centralize the concept of users and groups across all of your applications. But relying on Multi-Factor Authentication (MFA) isn’t going to mitigate sophisticated phishing attacks.

We’ve seen phishing attacks, not just on laptops and corporate email, but also in popular mobile applications. Applications like WhatsApp are frequently used to launch very sophisticated phishing attacks.

A good example is the SolarWinds breach where a Golden SAML technique was utilized to gain persistent access to critical company resources like M365. The attackers were clearly after the flow of email, the information that was stored in services like OneDrive and OneNote as well as all of the other information associated with that one single service.

If you think about centralized identity as a way to manage user access rights, it also shows the risk that centralized identity constructs present to businesses. A single compromised user identity can then be used across multiple services and expose enterprise data.

Modern endpoints and additional challenged [11:34]

Unfortunately, it is not just the identity scenario that is the problem here. We’ve also seen that modern endpoints bring additional challenges.

There are trends in the workplace that are pushing users and devices outside of the protected corporate perimeter and the shift to devices that may not have the full amount of protection we once had on fully managed company-owned devices.

A big impact has been the broad adoption of remote work. Remote work has quadrupled over the last decade, which gives you an idea of how many people are working outside the company campus. With the transition to remote work, we’ve started to see IT managing more platform diversity. We used to see populations largely consisting of Windows devices because they were company-issued, company-managed devices. Now we see macOS, iOS and Android. We see users trying to get work done on whatever device they have in front of them, even if it is not optimal. This approach is useful for the worker, but challenging for the business to enforce standards.

Hardware standardization is difficult. A business may make a decision to adopt Android platforms, but once they’ve made that decision, they often don’t specify the OEM and end up with software fragmentation.

We also see a lot of businesses having inconsistent management policies as more open, modern workplace trends are adopted. Not every business wants to manage an endpoint nor does a helpdesk service team want to scale to manage all the endpoints in play. On average, there are three connected devices per worker, that are on the network and have access to sensitive information, whether that be email or LoB applications. On top of this, we not only have to worry about employees but also contractors and partners.

We may be discussing SaaS applications today, but we need to consider how workers are interfacing with these applications. It is through endpoints, which may not be managed, which may be diverse in terms of the OS, which may have been subjected to threat. If you have a compromised endpoint accessing a sensitive application, you are very likely to be putting the data in the application at risk.

SaaS security in perspective [14:50]

We recently produced our annual Cloud Security Report and looked at instances of device compromise, zeroing in just on malware examples, and found the following:

  • 37% of devices with malware continued to access corporate email
  • 11% of devices with malware continued to access cloud storage

Verifying user identity is great, it ensures that the right user is at the other end of the connection, but when you start to introduce account takeover and consider compromised endpoints, you can see the risk your business is exposed to if you don’t start layering on additional defenses beyond just the identity service.

Layered defenses enhance SaaS application security [16:06]

What do layered defenses look like? We’re going to specifically talk about them in the context of Wandera’s platform.

Wandera is a cloud-delivered security solution; we have a presence on the endpoint and we offer a lot of integrations to ensure workflows integrate with existing investments you’ve made.

Identity is the cornerstone of effective access control. Identity is the place to start, it truly is the new perimeter, and from a Wandera perspective, we offer integrations with your existing IdP. The magic of federation means that Wandera supports pretty much every leading IdP on the market today including Azure AD, Okta, Ping as well as others.

With cloud-based solutions, you’re able to provide coverage across on-premises and cloud-based applications. As we’ve spoken about, on-demand verification of user identity can limit misuse, it doesn’t end misuse nor ensure your data is secure just because you’re receiving a verified user login.

We need to think about end-to-end application consumption. If you look at the endpoint from which the user is signing in from, here is where you want to start adding in endpoint security. It’s not a matter of just providing endpoint protection, there is a need to provide in-network risk assessments as well.

Wandera’s service is a Zero Trust Network Access (ZTNA) solution designed to support all modern operating systems. By taking this approach, there’s no management required for the Wandera service to be deployed, this means that the solution will work for any ownership type or device model. So there’s nothing to be distributed aside from a simple installation of the app.

The real key to the solution is the transport that provides the connectivity between the device and the SaaS application. This is where we propose the use of ZTNA, a service we call Wandera Private Access. The solution is modern, fast and secure, it uses encrypted tunnels that are mobile-friendly, appropriate for remote workers and very performant.

The routes that we establish are only going to be available to authorized users on secure devices. This is where we start to get the benefit of stacking these layers together. If a user fails the login challenge that is presented by the IdP, they will not have the route established to the SaaS application. If the user cannot successfully prove they are authorized to access the application, they will not be able to login.

We can couple user identity information with device risk posture assessments, so if a device suddenly has malware installed or reaches a compromised state, the connections to those SaaS applications will be broken and the user will be disconnected.

What about attackers? This is where we see the benefits of conditional access and IP lockdown.

Securing business apps and protecting remote workers [22:13]

You want to begin with a trusted foundation by securing the endpoint before you even think about what the user is going to be connecting to. The key here is that this trusted foundation would be performing a continuous risk assessment of the state of device and user credentials, feeding this information into the access policy.

With in-network protection, you also have web filtering policies for corporate devices so you can start to get a handle on shadow IT.

Once you get the trusted foundation in place, you can start to layer on the access technologies. Firstly, you must authenticate the user with the IdP. We use SSO or integrate with your existing IdP. Any modern OSs your users are trying to sign in from will first have to go against the IdP to make sure that the user identity is verified. From that point onward, Wandera manages all the encryption and routing behind the scene, so there is nothing for the user to turn on or manage. All of the application traffic is going to go to the appropriate destination.

Essentially, we’re providing secure access via a private network that has been established to your application, otherwise referred to as a Software-Defined Perimeter (SDP). This uses super fast microtunnels, one per application, so you can have fine-grained controls over what applications the user has access to, not what networks. This is where we can implement IP lockdown ensuring that only users that are coming across this infrastructure from secured devices are allowed access.

The security risk assessments are not required, but the IdP component is, so you must prove the user is authorized before that route is established.

Although this discussion has focused on SaaS applications, applications that are hosted in public cloud, private cloud, even on-premises can be wrapped into this service. If you’re looking for remote access that is unified across endpoints, applications and works for any type of worker, this would be a solution for you to consider.

Enhancing SaaS application security with Wandera [26:32]

A hardened endpoint is going to establish those connections that you configure from a business perspective, and those connections are all going to be encrypted.

Our Threat Defense solution is able to monitor the endpoint, protect users from phishing, but also protect them from man-in-the-middle (MitM) attacks, making sure that the networks they use are secure. This works well with Wandera Private Access to make sure that there is an extra layer of encryption as well as ensure performance by providing users with a dedicated infrastructure.

Unauthorized users and insecure devices will not be able to connect and your applications are significantly more secure as a result.

At the end of the day, you get:

  • Enhanced security where you can protect against account takeover, enforce real-time risk policies and end-to-end encryption
  • Enhanced performance by using a modern, mobile-aware protocol, traffic prioritization with optimized DNS and geo-aware routing

Enhancing SaaS application security [29:17]

SaaS application security requires a multi-dimension approach. Identity is the core of any access control solution but to make sure your application data is being protected properly, you need to think about endpoint security.

The most critical component that enables you to enhance SaaS application security is ZTNA, where you’re able to allow applications to be hidden until certain conditions have been met. This is where the conditional access features and IP lockdown come into play because they ensure that people can’t find your applications unless they are authorized to do so.

All of this wouldn’t nearly be as effective without continuous risk assessments, something Gartner refers to as adaptive access. This is what is going to help maintain compliance with policy even after a connection is established.

Q&A [31:40]

Q: How do you secure Microsoft 365 accounts using this technique?

A: You can think of SaaS applications as having two control points: the first would be the SaaS application itself, the second is the IdP. In many cases, the IdP is a SaaS-based solution and so you can use risk assessments and the ZTNA connectivity to ensure that only secured devices are getting authenticated. With M365, when I’ve gone in to configure access, I’ve done it through the Azure portal. There are a specific set of policies there for conditional access where you can go in and select individually the cloud applications that you would like to protect. This would be anything from the entire list to just the office apps, Skype and everything in between. You can also select individual users and groups as well as devices and platforms you want the policies to apply to. I mention this because, for many organizations, they’re not sure where to start with ZTNA and they don’t want to apply conditional access policies on all their workers at once. This policy control that Microsoft has available is a great way to isolate a particular group of users, for example, only those on Windows 10 devices or only those that are using iOS as their OS.

Q: What makes ZTNA different from Azure’s RBAC?

A: ZTNA is the connective tissue between the device and the service itself, so RBAC would still exist. Users would get authentication through Azure AD, and then, only if they are authorized for those applications, the ZTNA connection would be established to that application and allow that user to connect.

Q: How would you use this service to secure a virtual desktop environment?

A: I wouldn’t consider VDI to be SaaS, but you can still do this. We’re seeing a lot of customers using Wandera Private Access to hide their VDI from the internet so attackers aren’t able to find that service and try to exploit it. You can make it so only certain devices can use VDI or only devices that you have authorized.

Q: What is the right place to start with ZTNA, should you start with on-premises applications?

A: We often assume that remote access starts with bypassing a firewall and tunneling into your data center. With the shift to SaaS applications, the reality is you don’t need to set up on-prem solution at all if you have moved all of your applications out of your data center into the cloud. So no, I don’t think on-premises applications is a required first step, I actually think that SaaS-oriented ZTNA is a fantastic place to start. And, you don’t have to replace your existing remote access solution while you check it out, especially if you are using legacy VPN.

Q: Which IdP providers does Wandera support?

A: Azure AD, Okta, Ping – the key is in federation. Our engineers can work with you to ensure that we can support the IdP that you use.

Q: How does your solution comply with data protection regulation?

A: When you are configuring your business apps for Wandera Private Access, you can specify the infrastructure that you want that application traffic to utilize. That means you can keep that application traffic in a particular region or on a particular provider network, which enables you to configure policies so that you’re compliant with the regulations you need to be compliant with.

Q: What exactly do you mean by risk assessment?

A: Wandera’s Threat Defense service offers ~40 threat defense categories that organizations are able to control policy and severity around. All of these map to high, medium and low security ratings. One of the things you are able to do per application is specify risk tolerance. So if a device exceeds a specific risk tolerance, it will prevent access to a user, even if they are authorized.