Follow the Data: 8 Questions About SaaS Application Security
Last month at the GigaOM Structure conference, Ashar Baig, Cloud Research Director, led a panel about application security in the cloud era. The gist of the discussion was that the advent of Cloud, SaaS applications that were born and live in the cloud have flipped the traditional security model on its head, and enterprises need to reevaluate their overall security envelope to include cloud apps and services.
Adallom CEO, Assaf Rappaport, participated in the panel, and his answers were relevant to many of the cloud security questions I get on a regular basis. While Ashar didn’t get around to asking all the questions he had initially prepared for the panel, I asked Assaf to go through them all and respond in writing because they resonate with questions I get all the time about the SaaS security space. I hope you find it useful.
Ashar Baig (AB): Why should CIOs care about applications that are not on their corporate servers behind the corporate firewall?
Assaf Rappaport (AR): The cloud revolution is over. We are now squarely in the cloud era – so we should accept it as a fact that enterprise data is gravitating to the cloud. Turning the cloud off is not an option, so CIOs need to protect data in the cloud because they are accountable for its integrity, and liable in the event of its exfiltration.
AB: Why is traditional security not sufficient to protect corporate intellectual property (IP)?
AR: Security for the cloud must be in the cloud. When users access cloud services, they do so on unmanaged devices, outside of the corporate perimeter – so, outside the purview of firewalls and IPS in the datacenter, and unpreventable by endpoint protection, it’s simple: You can’t secure what you can’t see.
AB: There are hundreds of SaaS apps, protecting all of those at the same time is a colossal task for IT. Where does one begin? What is the low hanging fruit?
AR: Follow the data. We consistently talk to CIOs who speak to us in hushed tones about cloudpocalypse: an audit revealed 200 Shadow IT applications used by their employees! But when we look deeper, we always find that the majority of critical enterprise data in the cloud is usually contained to five or less cloud services. These are the low hanging fruit – for example, if 90% of your enterprise data in the cloud is in Salesforce and Box, then focus your resources on those two apps first, and then tackle the other 198 apps that account for less than 10% of your attack surface.
AB: Can you educate the audience on the various approaches to various approaches for SaaS protection and the pros and cons of that approach?
AR: Let’s start by stating the obvious: Logs and endpoint agents are useless because the first is tethered to the perimeter and the second requires a managed endpoint. That leaves proxies – forward proxies are messy because they require cooperative users – and both forward and reverse proxies can be construed as single points of failure. Ultimately, the conclusion I’ve reached is that any SaaS vendor that can be classified as “enterprise grade” will offer APIs that allow security ecosystem partners to extend IT purview and security controls into the service.
AB: What role does machine learning play in threat detection and mitigation?
AR: Some might say the only way forward in security is to apply lessons learned from financial fraud prevention to data exfiltration protection, but I don’t think that’s good enough because unlike money, it’s hard to know what the true value of data is until it’s been exfiltrated – the risk appetite for a data breach is much lower than financial fraud. Prior to Adallom, our R&D team built machine learning algorithms that used anomalous activity detection to prevent terrorism, where, as you can imagine, the risk appetite was nil.
AB: What trends have you seen with regard to securing SaaS applications recently that you did not expect?
AR: I’m consistently surprised by the abundance of CISOs who believe that the cloud can be “turned off” or “blocked” – When I started Adallom I assumed that enterprise leaders would accept that cloud applications are now part of their reality – as I said in the beginning, it’s obvious to anyone without blinders that the cloud revolution is over. But time and time again we keep running into IT and security execs who would rather pour more money and resources into blocking SaaS than enabling it.
AB: What kind of technology innovation do you think is needed to keep up with the spikes in threat detection and mitigation in the cloud?
AR: I actually feel the bigger problem is education, not innovation. We’ve made incredible strides forward in cloud security, but IT budgets don’t reflect the need. As data migrates to the cloud, so does the corporate attack surface – it’s imperative that CIOs integrate cloud security projects into their budget – the technology is out there, and it’s really good – you just need to buy it.
AB: What does the SaaS protection roadmap look like? How will this technology evolve?
AR: The primary evolution that we’ll be seeing is a commoditization of operational controls like encryption and DLP as SaaS vendors implement them as platform features. Innovation must be tied to autonomous prevention of insider threats. I also think the security ecosystem in many ways will become platform-driven itself, a sort of Security PaaS – but that’s much further out.