Imagine that an image-sharing website had a configuration checkbox for “include my Social Security number in every image I post.” Advisability and legality aside, how would you respond? You certainly wouldn’t enable it. In fact, assuming you continue to use that site, you’d probably take steps to make sure the feature wasn’t enabled, even double and triple checking it’s disabled.
Now imagine you use a hundred different websites, all with similar configuration checkboxes. This would be an even bigger deal if you share a device with family members who might accidentally enable that setting. You’d still check periodically to make sure that setting is turned off, and you might even consider buying a commercial tool or writing a script that uses automation to ensure the setting stays in a secured configuration state.
In real life, no sane web developer would build in a feature to auto-post personal data like your Social Security number online. But most websites have settings that affect the security of the functionality they provide: They ask for permissions, levels of access and configuration options that directly affect security and privacy, from encryption and logging in to multifactor authentication and beyond.
Keeping an eye on those configuration settings across a company can be a challenge. This is where SaaS security posture management, or SSPM, can help.
What is SSPM?
Security-relevant configuration is built directly into SaaS applications that power businesses. This includes settings that encompass everything from authorization and access controls to logging and monitoring, cryptography, data export and multifactor authentication. The more comprehensive and feature-rich the SaaS application, the more operational flexibility these configuration options can provide. This means customers have more choice and control in how the service is configured from a security perspective.
However, understanding what all these options are and what they do can be complicated and confusing. Because most organizations use dozens or, in some cases, hundreds of SaaS applications, there are multiple different settings — and thereby multiple opportunities for insecure configuration. In fact, even if everything is done correctly at the outset, developers frequently add new features, which means new default settings that may not be in line with what you want or what your organization’s policy requires.
Further, trying to keep up with making sure these are all in an optimal configuration isn’t realistic to do manually.
SSPM provides an automated way to ensure SaaS security configurations conform to your company’s policy automatically. If a configuration differs from your policy, the SSPM will let you know, or, in some cases, automatically make the changes to bring your configuration posture back in line. Likewise, where there’s an opportunity to improve security — such as by aligning configuration to best practice — SSPM will notify you to enable corrective action to be taken.
Determining whether your company needs SSPM
If your organization is one that makes heavy use of SaaS, you might be asking if this is a service you require. The answer, as always, depends on your company’s context and needs.
First, note that there is some minor overlap between the functionality of cloud access security brokers (CASBs) and SaaS security posture management. CASBs operate in proxy or API mode. The API mode is similar to SSPM because CASBs are already plugged into the SaaS APIs they are designed to work with, which includes comparing usage with security policy. If your company already has a CASB, it may want to evaluate feature similarities between it and SSPM. And because SSPM is a relatively new space — it was added to Gartner’s Hype Cycle in 2020 — your CASB provider may already have a plan to add SSPM features.
Second, determine what SaaS applications you want to secure as you approach vendor evaluation because the SaaS security model often varies by vendor. Know what you want when vetting vendors. One strategy is to use existing data about the business use of SaaS services — for example, data from a business impact analysis (BIA) or similar — to create a “coverage map” to use in discussions with individual vendors.
This discovery element is important. If you don’t know what SaaS services are in use at your company, make sure a discovery plan is in place. Use existing data, such as a BIA, or use proxies or traffic monitoring tools. Some SaaS security posture management vendors can assist in discovery as well.
Use SaaS security posture management to protect app data and access
While no SaaS application will have a setting as detrimental to security as a configuration that posts Social Security numbers, there are SaaS security settings that must be kept optimized and in line with your enterprise security policy. SSPM can play a role in ensuring SaaS security stays strong and that configurations stay as expected.