Contributors
Remember when Greyhound Bus Lines used to say, “Leave the driving to us”? Like, get on board, take a seat, close your eyes and you’ll be in Vegas before you know it. Today’s Software-as-a-Service (SaaS) providers have a similar message. Leave the computing to us, don’t worry your pretty little head about it – we’ll handle all the infrastructure and network connections.
However, you shouldn’t lean back and close your eyes. While SaaS platforms like Box, Workday, and Atlassian are amazing, they come with a “shared responsibility” model of security and operation. A surprisingly broad range of security and configuration decisions are yours to make. The onus is on you to ensure the security of the ‘last mile’ of configurations, user access and critical data handling.
Shared Responsibilities
Shared responsibility, which is a feature of almost all legal agreements covering the use of SaaS platforms, holds that you (the customer) and the SaaS provider each have certain responsibilities for security and configuration of your SaaS instance. There is a lot of variation, but generally, the SaaS provider is responsible for all the security and configuration affecting their infrastructure and the core platform code. They keep the software running. They keep malicious actors out of their data centers, and so forth.
You are on task for issues that affect how you use the software. For example, you decide how to handle access control—within the available options. This should make sense. After all, how would Box know how you want to control access? You can configure your instance the way you want. In that sense, you can think of responsibilities as choices. You get to choose your configuration.
Configuration risks
Shared responsibility can create risk. Configuration is one such area. For example, you may have the option of using two-factor authentication (2FA), but you have to switch it on. If you don’t configure 2FA, you won’t have 2FA. And, you have to configure it the right way for your security policies.
Access control
Under shared responsibility, you have to decide how you want to handle access control. You may have able to synchronize SaaS access with your overall Identity and Access Management (IAM) solution. This approach is effective for aligning your corporate access control policies with those governing your SaaS instances. Otherwise, you have to set up access control carefully on the SaaS platform. You might want to restrict access to people with a corporate email address and prohibit Gmail addresses.
Difficulties with plugins and third-party integrations
Plugins and third-party integrations represent a potentially significant source of risk exposure in SaaS. A plugin might have a security vulnerability that you are not aware of, opening your SaaS data to unauthorized access. If you don’t set up controls, you might also find your employees installing plugins that you don’t want in the environment—leading to unforeseen systemic access issues.
Solving the problem of shared responsibility
It is possible to solve the problem of shared responsibility. You can handle your responsibilities manually, taking care of one SaaS platform at a time. That is not optimal, though. It’s labor-intensive and prone to error. A better alternative is to deploy a solution that brings together all SaaS responsibility settings into a unified interface. With such a solution, you can gain an overview of potential issues and set a priority for remediation.
Conclusion
Shared responsibility is a fact of life in the SaaS world. And, it’s for the best. The approach gives you choices and control over your digital assets on SaaS platforms. The approach gives you choices and control over your digital assets on SaaS platforms. However, it is imperative that you take the policy seriously. To neglect shared responsibilities is to invite trouble. Now, though, solutions are available to help you manage shared responsibilities in SaaS without expending an excessive amount of time or effort.
Lee Kappon is a SaaS Security expert and was listed on Forbes’ 30under30 list. She is the CEO & Co-Founder of Suridata, a startup company that is developing the next-generation SaaS Security solution.
Forbes Israel Contributors are independent writers that were individually picked by Forbes staff. The writers are experts in their field and they provide professional commentary and analysis of current events. The content is unsponsored