SaaS applications such as Google Workplace and M365 are ideal for SMBs; they’re easy to use, affordable, and reduce the number of IT admin tasks. As trust in the performance and reliability of the cloud has grown, SaaS has become the next step for a lot of business’ technology architecture. Nearly 85% of small businesses have already invested in SaaS. Channel Futures predicts that 79% of SMBs are seeking to adopt more operations-oriented apps and 76% more customer-focused applications, and SaaS adoption will account for $76 billion in global SMB SaaS spend in 2021. As this adoption has grown, there is a greater need for SaaS security to protect these apps. 

SaaS App Trends 

The SaaS market is booming, and several vendors saw strong growth in 2020: 

  • Zoom: we encountered the ‘Zoom Boom’ where the video conferencing platform could barely handle demand and topped all Okta’s charts with most customers, unique users, and fastest-growing – all at once. Revenue doubled in FY 2019 from $330.5 million to $622.7 million and saw growth to 300 million daily meeting participants. 
  • Office 365 – Microsoft’s annual commercial cloud revenue stormed ahead at $50 billion+ for the first time. Determined largely by the mass adoption of Microsoft Teams which exceeded 258 million in April 2020. 
  • Salesforce – raised their FY21 revenue guidance to $21.11 billion at the high end and initiated FY22 guidance of $25.5 billion. No other major enterprise software company is growing at this rate.
  • Google Workplace (formerly G Suite) –  Google announced six million business customers of their Google Workplace product. Google Cloud Platform (GCP) and Google Workplace – brought in $3.007 billion, up 43% from $2.1 billion a year prior.
  • Amazon Web Services – AWS has surpassed $40 billion in annual revenue, at a rapid pace, adding an incremental $10 billion in revenue in 12 months, faster than ever.

Okta’s Business at Work Report for 2021 demonstrates the growth in the most popular app usage:

SaaS Security Concerns

In Ping Identity’s Survey they uncovered some security concerns which have been stalling SaaS projects. 37% of their respondents said SaaS security has been the biggest obstacle for SaaS adoption. They also reported 71% of organizations are spending more to protect customer identity data stored in the public cloud, on-premises, or in the SaaS cloud.

How SaaS has changed the security landscape 

Adopting new technologies is never without its pitfalls, and there’s always a bedding-in period where organizations figure out the functionality, usability, and configuration as well as how to properly secure them. 

With applications, employees, and devices moving beyond the corporate perimeter, security models need to change to accommodate diverse working habits. SaaS applications enable users to access them from anywhere on any device, and without being able to broker connections, exposure to the public internet means that SaaS applications can be susceptible to a variety of attacks.

Whilst your employees are working remotely, you may use a VPN or another remote access solution to enforce a level of security on SaaS applications, but it’s not efficient to hairpin traffic via the data center, it introduces unnecessary latency. For high bandwidth applications like Zoom or M365, it can deliver a poor user experience, which is completely out of sync with today’s expectations. Microsoft recommends against this type of deployment, which you can read more about here

People get frustrated when a webpage doesn’t load in two seconds on a cellular network, latency is a problem that employees aren’t willing to tolerate. This can lead to VPN being seen as sub-optimal. If you don’t need a VPN to log into a SaaS application, when you experience problems, it’s very easy to directly connect to a SaaS application and carry on with work. 

Who is responsible for SaaS security? 

Understanding the Shared Responsibility Model is fundamental in securing public cloud services. You need to comprehensively understand what the Cloud Service Provider (CSP) is responsible for and what you are responsible for.

In many cases, much as the responsibility of SaaS application security falls on the shoulders of IT, companies need to breed that fabled security culture. Employees need to be aware of the risks associated with adopting and using SaaS applications. We’ve produced an ‘End User Guide to Cybersecurity’ which will help them to be aware of the threats associated with cloud services.

How secure is SaaS? 

How secure SaaS is largely depends on the level of expertise and knowledge you have to be able to secure it. Cloud skills are in high demand and short supply, more than 80% of cloud leaders have identified a lack of internal skills and knowledge as a barrier to cloud success. And yet 76% of cloud learning administrators say the hardest thing about guiding their people through cloud training is competing priorities with day-to-day work getting in the way. 

Without the needed know-how, it’s difficult to plan out a clear cloud roadmap and security strategy. You may have only a few of the core SaaS applications right now: M365, Zoom, and Salesforce, perhaps a few more in the different business units, but as you adopt more applications, it will inevitably be harder to manage and secure them properly. Okta’s latest Business at Work report shows that, on average, companies have 88 applications in play; managing 88 applications separately will inevitably lead to misconfigurations and a lack of consistent policy. 

Having the necessary cloud skills and knowledge is also important when knowing which security products are appropriate for cloud-enabled environments. The security market is vast and can be confusing, there are so many products available with considerable feature overlap, so unless you know exactly what you need to secure SaaS applications properly, you’ll likely leave yourself exposed. 

To work with the changing needs of SaaS, Gartner recommends you take a 3-pronged approach: reorganize, reskill, retool. Firstly, SMBs should look at reorganizing their IT teams – if they have one, it might be in a smaller SMB it’s just one IT employee or an HR member managing the outsourcing. Then assess where skill shortages lie and focus their attention from operational tasks to change management, then equip these teams with the right tools to enforce SaaS security policies and enhance user experience. During this process, they should require someone to complete a specialist security course, to fill the skill gap needed. 

SaaS providers will have varying levels of native security functionality. When procuring a new SaaS solution, you need to understand what the security features do and what level of licensing you’ll need to meet your security requirements. 

The level of native security functionality in SaaS products varies significantly. For instance, Microsoft has an advanced suite of solutions as part of M365, as long as you can afford it, but pure-bred SaaS applications will likely have less sophisticated security offerings that need to be supplemented by third-party services. 

It would also be worth checking ISO certifications of SaaS providers: 

  • SO/IEC 27001:2013: specifies the need for establishing, implementing, maintaining, and improving information security management systems. Also, the assessment and treatment of information security risks relative to that company. 
  • ISO/IEC 27017:2015: guidelines for information security controls for the provision and use of cloud services.
  • ISO/IEC 27018:2019: sets out commonly accepted control objectives, controls, and guidelines for protecting personally identifiable information in a public cloud computing environment. 

SaaS security checklist

 Here are considerations when considering SaaS application security:

    • Verifying user identity: As companies have transitioned to cloud-based services, a need for identity-centric models is a must-have to secure SaaS apps. We know that single-factor authentication isn’t effective, login credentials are too easily stolen or breached and as SaaS applications are exposed to the public internet, it makes them vulnerable to password-based attacks. IAM technologies like MFA and SSO have seen a huge growth in adoption, to better protect against these types of attacks by verifying user identity with greater certainty.
    • Context of access: you should look to employ a solution for identifying rogue services, OS updates, continuous monitoring, and on-event alerting of compromised accounts, malware, and risky applications.
    • End-to-end encryption on cloud data – most solutions enable you to encrypt your sensitive information and communications, the cloud, and apps. Most SaaS providers provide this to an extent or you can implement your own CASB.
    • Enforce data loss prevention (DLP) – DLP tracks any transmission of corporate sensitive data going to and from SaaS applications. It can also block users from downloading data and prevents adversaries or malware from accessing the data.
    • Monitor collaborative sharing of data – users can share data with Teams, Slack, Dropbox, etc. some of which may be sensitive, via web links. Collaborative controls enable you to set permissions as to what can be shared and seen. 
    • Check your provider’s security – conducting an audit of a SaaS provider and its compliance with security regulations and practices is crucial. You should cast a closer eye over their encryption policies, security protection, data segregation policies, and employee security practices. 

To learn more about the pitfalls of SaaS security, read our blog here

Wandera’s Security Suite enables you to give your users flexibility to work from anywhere at any time, it automatically restricts access to sensitive apps and data, increases your visibility, and requires no on-premises equipment. You can also protect against common cyber vulnerabilities such as malware, risky apps, or phishing with multi-level cloud and endpoint security. Our advanced threat intelligence engine MI:RIAM also scans apps and vulnerabilities in real-time highlighting any problems with your environment.