SaaS application use is becoming ubiquitous in the enterprise, resulting in an increase of risk that will require more robust data loss prevention strategies by security teams. It also raises critical questions such as:
Ultimately to assess the risk associated with usage of these cloud service applications, IT teams needs to have 24/7 visibility into traffic flow into these applications and “Shadow IT” from internal and external users within the enterprise.
There are 3 types of risk that we associate with SaaS usage that security teams need to consider:
Let’s review each type of risk in more detail:
Static Risk – This is the type of risk that is static to a specific app. The first step of visibility is to discover which SaaS apps are being used by the enterprise. Once discovered a static risk value is assigned based on the operations protocols of each app. This risk value is an aggregate of specific items such as:
Organizations need a database of static risk for SaaS applications to be able to calculate this risk.
Behavioral Risk – This is a dynamic risk based on usage patterns of these applications. For example, a file sharing SaaS app might not have a very high static risk assigned to it. But the app might still be risky if files with sensitive information are uploaded to it from inside the firewall. This risk takes into account abnormal behavior from a user within the enterprise. For example, if a user of this app usually only uploads 1 gig of data daily, and 3 days in a row they upload 100 gigs/day, that is risky behavior that needs to be detected and introduce a weight into the calculation of risk for that specific SaaS application.
Behavioral risk calculation could be based on items such as:
Visibility and monitoring of data transfer dynamically and alerting when unusual activity happens is critical in preventing unauthorized data transfer.
Organizational Risk – This risk value takes into account organizational requirements regarding data loss prevention. Specific SaaS static risk and behavioral risk are important to an organization, but certain SaaS apps might be riskier depending on the type organization that’s using it. For example, a file sharing SaaS app might carry larger risk for a healthcare company than a retail based company. Healthcare companies might have governmental regulations (such as HIPAA) that affect the risk calculation of SaaS application usage.
Each type of risk carries a weight that is used in the calculation of total risk. Augmenting the weight-based behavioral risk and static risk with an organization’s internal vendor assessment will create a comprehensive SaaS risk score to minimize threats arising from usage of SaaS apps by employees or applications from within the enterprise.
A comprehensive CASB monitoring and discovery solution should provide a risk score based on each of the above risk assessment calculations. The best solution:
Visit the ManagedMethods’ website to view our CASB solutions to address risk assessment and other threats emerging from usage of SaaS apps within the enterprise.