Source: pexels.com
The Cloud Security Alliance (CSA), together with Adaptive Shield, has just released its 2022 SaaS Security Survey Report. The report reveals the top security concerns for SaaS as seen by chief information security officers (CISO) and security experts. For this year, SaaS misconfigurations once again topped the list of security concerns among organizations. The results were based on a survey of 340 CSA members and consisted of respondents from the Americas, Asia, and EMEA regions. The organizations surveyed also came from a variety of industries including finance, telecommunications, and government.
Since 2019, SaaS misconfigurations have been leading to security incidents such as breaches and data leaks. 43% of organizations reported security incidents that were traced back to misconfigurations; however, the alliance estimates this number could be as high as 63% since 20% of respondents were not completely sure if their organization suffered a security incident because of a SaaS misconfiguration.
Moreover, the report explained that most research into misconfiguration was strictly focused on IaaS layers. However, the alliance stressed that SaaS security and misconfigurations are equally crucial to maintaining the overall security of an organization. This is consistent with cybersecurity trends that also point out that cloud security is an issue for most cloud services where SaaS apps are hosted. The problems revolve around vulnerabilities in secure encryption, authentication, and audit logging. Also, some cloud services fail to isolate user data from other tenants sharing space in the cloud.
What’s Causing SaaS Misconfigurations?
Another key finding related to misconfiguration was actually the two leading causes of the problem—lack of visibility and too many departments with privileged access.
The lack of visibility pertains to changes in the SaaS security settings, which accounted for 34% of the organizations surveyed. Another 23% reported that their problem was the lack of SaaS security knowledge of users and admins. Meanwhile, 8% reported problems due to misappropriated user permissions. Visibility problems can also lead to new security concerns involving Shadow IT, which refers to apps used by employees that are not explicitly approved by the company’s IT department.
When it comes to access, 35% of respondents reported that their organization has too many departments with access to the security settings of their SaaS platforms. The departments that are most often responsible for SaaS app security settings include security (59%), IT (50%), and business application owners (40%). Business application owners are people outside security and while they have valid reasons to access the apps, they “lack the proper knowledge of security and interest in maintaining the application’s security,” as stated in the report. This situation can lead to security issues for people in the security and IT departments.
SaaS misconfigurations can be very challenging to address, especially when employees have been used to using their preferred apps or if the company needs to provide access to various departments so that they can perform their tasks. To improve their SaaS security, the report recommended that organizations should provide security teams with visibility not only into the SaaS app’s security settings but also 3rd party app access and user permissions.
Automation was also cited as a key tool that can help security teams remediate SaaS security misconfigurations in near real time. Manual remediation of these misconfigurations can keep organizations exposed to security threats. Also, security teams might not be able to strictly follow schedules for manual checks, which increases security risks for the organization.
Why is FinancesOnline free?
Leave a comment!