SaaS application use is becoming ubiquitous in the enterprise, resulting in an increase of risk that will require more robust data loss prevention strategies by security teams. It also raises critical questions such as:
- Who is using SaaS apps and which ones?
- What type of data is being transferred out of the enterprise into these apps?
- What is the risk associated with different types of apps?
- Is the data “safe” outside of the persistent layer of those SaaS apps?
Ultimately to assess the risk associated with usage of these cloud service applications, IT teams needs to have 24/7 visibility into traffic flow into these applications and “Shadow IT” from internal and external users within the enterprise.
There are 3 types of risk that we associate with SaaS usage that security teams need to consider:
- Static Risk
- Behavioral risk
- Organizational risk
Let’s review each type of risk in more detail:
Static Risk – This is the type of risk that is static to a specific app. The first step of visibility is to discover which SaaS apps are being used by the enterprise. Once discovered a static risk value is assigned based on the operations protocols of each app. This risk value is an aggregate of specific items such as:
- Security Certifications such as SOC2, SSAE16
- Compliance with HIPAA or PCI
- Disaster recovery policies and documentation
- Encryption of persistent data supported
- Single Sign On support
- Number of years in business
- Publicly Traded Company
Organizations need a database of static risk for SaaS applications to be able to calculate this risk.
Behavioral Risk – This is a dynamic risk based on usage patterns of these applications. For example, a file sharing SaaS app might not have a very high static risk assigned to it. But the app might still be risky if files with sensitive information are uploaded to it from inside the firewall. This risk takes into account abnormal behavior from a user within the enterprise. For example, if a user of this app usually only uploads 1 gig of data daily, and 3 days in a row they upload 100 gigs/day, that is risky behavior that needs to be detected and introduce a weight into the calculation of risk for that specific SaaS application.
Behavioral risk calculation could be based on items such as:
- Deviation from normal behavior
- Transfer of unusual amount of data out of the enterprise
- Transfer of risky data such as social security numbers or credit card numbers or source code
- Transfer of specific data types or file types into the SaaS applications in the cloud.
Visibility and monitoring of data transfer dynamically and alerting when unusual activity happens is critical in preventing unauthorized data transfer.
Organizational Risk – This risk value takes into account organizational requirements regarding data loss prevention. Specific SaaS static risk and behavioral risk are important to an organization, but certain SaaS apps might be riskier depending on the type organization that’s using it. For example, a file sharing SaaS app might carry larger risk for a healthcare company than a retail based company. Healthcare companies might have governmental regulations (such as HIPAA) that affect the risk calculation of SaaS application usage.
Each type of risk carries a weight that is used in the calculation of total risk. Augmenting the weight-based behavioral risk and static risk with an organization’s internal vendor assessment will create a comprehensive SaaS risk score to minimize threats arising from usage of SaaS apps by employees or applications from within the enterprise.
A comprehensive CASB monitoring and discovery solution should provide a risk score based on each of the above risk assessment calculations. The best solution:
- Includes 24/7 monitoring capability of the data transfer to SaaS application.
- Provides alerting capabilities when anomalies and risky behavior are detected.
- Works for both internal usage of SaaS apps and when employees access those apps from outside the firewall through a mobile device.
- Generates risk reports based on all 3 calculations that can be shared with different business units within the organization.