By Sean Malone, Chief Information Security Officer, Demandbase
Security for Software-as-a-Service (SaaS) solutions has been a priority since the inception of this technology, but it’s become even more essential over time. As the number of platforms has increased, so has the volume of data that SaaS companies gather, store, and use. At the same time, it’s recently been found that 40% of all SaaS assets are unmanaged, leaving companies and their customers at significant risk of security incidents and data breaches.
With this in mind, SaaS organizations can no longer take a status quo approach to cybersecurity. It’s time to modernize and improve. Here’s a look at how, and what the future of cybersecurity in SaaS needs to look like to ensure the protection of consumers, companies, and ever-increasing volumes of sensitive data.
The Current State of Security in SaaS
Today, cybersecurity in this segment of the tech industry is highly variable. Some SaaS companies handle their security programs extremely well, while just as many (if not more) struggle to do so. Most SaaS platforms are built on Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS), operating with a shared responsibility model. This means that there are components of the security responsibilities that the IaaS or PaaS cloud provider operates, and then there are components that the company building a SaaS product on top of that cloud environment is expected to operate. This setup can be challenging, as there are many competing priorities, particularly for early stage and hyper growth SaaS companies.
The Catalysts for Change
Even when SaaS companies are aware of their responsibilities and the need to tighten up their security, it can be hard to carve out the time, energy, and resources to make that happen. For many, it’s downright overwhelming. Because of this, they might kick the can down the road and wait to make meaningful changes until it’s too late.
In addition to the security concerns, this frequently presents a compliance risk for privacy regulations as well. Typically, companies that struggle to protect their infrastructure and manage the security of their data will also struggle with meeting customers’ privacy expectations for that data. Both B2B and B2C organizations are feeling the squeeze of selling to customers who are increasingly concerned about the security and privacy of their data. As consumers continue to demand more from companies, companies will have to improve their cybersecurity and data management in order to earn — and keep — customer trust.
How to Implement Forward-Looking Quality Management
As SaaS organizations look to prudently manage the security and privacy of their platforms, there are some key points to keep in mind. First, building on top of cloud platforms as if they’re just another data center is not an effective strategy. Even with containerized software, treating a cluster of servers as if it were a cluster of servers in an on-premise data center results in brittle environments that are difficult to secure and manage. This approach requires more manual changes, and fails to take advantage of the agility and resiliency offered by cloud-native architectures. More importantly, though, it increases the likelihood of making critical mistakes in that environment. This is because, more so than with on-premise tech, you’re typically only one configuration change away from creating a significant security issue. Instead, here’s a look at how the savviest SaaS companies handle quality management now – and in the future:
Automating deployment of cloud architecture through infrastructure as code (IaC).
This has multiple security benefits, but one of the primary benefits is that it lets you scan the architecture definitions, just like you scan any other code prior to deployment. So you can identify issues before anything touches a production environment. This also enables the next key item, which is…
Drastically minimizing manual changes in production environments.
It’s critical you roll out changes through IaC through a version-controlled, peer-reviewed software repository as part of a standard development practice. And beyond this, seek to eliminate human access to production environments altogether. As humans, we tend to make mistakes when implementing changes manually, so if you create an entire discipline around automated testing, peer review and version-controlled repositories when it comes to infrastructure management, you’ll have more securable (and more stable) environments.
Working closely with product teams and engineering teams.
The final key to top-tier quality management of the future is to collaborate with product and engineering teams to integrate security requirements into the normal research and development processes. Your ability to secure the environment will depend on a great relationship with these teams.
Key Milestones & Metrics
If you’re wondering how to measure forward progress toward handling cybersecurity as the future will require, here are some questions you can consider and metrics you can measure:
To what extent are security requirements fully baked into product requirements?
To what extent does the product team proactively reach out to the security team to think about security early in the process?
What percentage of infrastructure is deployed as IaC?
What percentage of both infrastructure and application code is automatically scanned for security issues before going into production?
When issues are identified, how long do they take to resolve?
These are all areas to be reviewed and quantified, when possible, in order to gauge improvement. And, you can put metrics around these at individual engineering team levels. This helps you evaluate the security performance of an individual engineering team, and then aggregate that to engineering departments. You could even gamify security, by making it a friendly competition and using these metrics as a way to raise the bar on engineering security across the entire organization.
Great Security Depends on Great Engineering
Above all, one of the main tenets of product security is that it is either strengthened or weakened by the quality of engineering practices — and this is not going to change anytime soon. If anything, as we move into the future, SaaS organizations’ security will only be as good as their operational practices and architectures can support. So, by driving quality expectations throughout the entire research and development organization, you can create more securable platforms.
This requires robust, resilient architectures, IaC that reduces manual access, knowing where your data is and how it’s used, and thorough documentation around all of it. Great engineering practices may not technically fall under the umbrella of cybersecurity, per se, but they enable a security team to embed security controls in an efficient manner. They also can make you less dependent on manual changes by humans, which we know are where the lion’s share of security breaches originate.
What is the Future of Cyber Security in SaaS?
As SaaS platforms continue to be created, elevated, and relied upon, the data they capture and store will also grow. It’s every SaaS company’s responsibility to not only implement the minimum requirements, but to look ahead to what future expectations will be and start planning to exceed them now. This will help organizations ensure that they can earn customer trust and loyalty, and that our data-rich world will stay secure for all.
About the Author
Sean Malone is the Chief Information Security Officer at Demandbase. In his role, he is responsible for the information security and IT functions. Prior to joining Demandbase, Malone led information security, delivery, product, and R&D for VisibleRisk, which was acquired by BitSight Technologies. Prior to that, he was Head of Cyber Defense for Amazon Prime Video, and previously spent ten years in offensive information security, performing red team engagements and cyber defense consulting for major financial institutions, casinos, gold mines, social media platforms, and similar high-value targets. Malone holds an MS in Information Security & Assurance, as well as the CISSP, CISM, CISA, CCISO, AWS Solutions Architect, and AWS Security Specialty certifications. He’s active in the security community, including presenting research at Black Hat, DEF CON, and other conferences. He has a patent pending for his work on assessing security programs and quantifying cyber risk.