Editor’s Note: This is part four of a blog series on securing privileged access and identities in the cloud.
- Part 1: Five Best Practices for Securing Privileged Access and Identities for the Cloud Management Console
- Part 2: Best Practices for Protecting Your Organization’s Dynamic Cloud Infrastructure
- Part 3: Secure Your Cloud-Native Applications and DevOps Pipeline in Six Steps
Now more than ever, Software as a Service (SaaS) applications not only enable communication and collaboration, they’re also a lifeline for remote workers, and are helping organizations efficiently manage internal operations, rapidly innovate to stay ahead of the competition, and deliver greater customer value.
While a majority of enterprises rely on these business-critical SaaS applications, like cloud-based CRM and email platforms, a CyberArk survey of business and IT decision-makers found nearly 70% do not prioritize their protection. Further, 56% of respondents reported an issue that affected the confidentiality, integrity, or availability of their business-critical applications within 24 months of the study.
With SaaS applications, it’s relatively easy for an individual within an organization to purchase a subscription with a credit card without going through formal procurement processes or involving finance or IT. While this ease of deployment and adoption is a benefit over traditional on-premises applications, it also gives rise to “shadow IT.” When IT security teams don’t approve, manage or even know about rogue SaaS applications, the risk of exposure and data breaches can increase substantially.
Properly securing and managing SaaS applications is an essential part of a comprehensive cybersecurity strategy. Here are five ways to get started:
- Treat all administrative access to SaaS applications, such as admin accounts used to set up single sign-on (SSO) integrations, as privileged. In most organizations, a variety of users access admin accounts for SaaS applications, such as Salesforce, ServiceNow, Jira, Docusign, DropBox and more. Take shared accounts for corporate social media platforms, for example. Credentials are often shared across teams and even third-party contractors and are rarely changed, making them easy targets for external attackers and malicious insiders. Such accounts must be viewed as privileged accounts and best practices for privileged access management must be implemented to mitigate the risk of compromise. Specifically, privileged credentials should be secured in a central vault, automatically rotated, and all activity must be recorded and available for audit. Human, machine, and application users with access to sensitive information for SaaS applications should also be considered privileged.
- Implement single sign-on to secure access to cloud apps. As companies bring more SaaS applications online, login credentials become increasingly attractive targets for attackers. Passwords alone are not enough to verify a user’s identity and protect businesses from data loss, fraud, and malicious attacks. SSO leverages a central identity provider such as Microsoft Active Directory, Azure AD, Okta Universal Director, or Ping Identity to manage user authentication and grant access to SaaS applications through a single set of login credentials. This improves security with stronger password policies, increases productivity with simplified access to all the applications employees need to do their jobs, and makes it easier for IT to monitor and manage access across the entire enterprise.
- Strengthen access controls with multi-factor authentication (MFA). MFA helps ensure users are who they say they are by requiring them to pass multiple authentication challenges like providing a one-time code sent to their mobile devices. In the remote work era, SaaS applications are regularly accessed from outside the corporate network and MFA is an instrumental layer in verifying user identities and preventing the use of compromised credentials. But do not forget that the privileged accounts used to manage MFA software must also be protected at all times with strong privileged access controls.
- Install and integrate an identity governance solution. Integrating with industry-leading identity governance and administration (IGA) solutions enable organizations to gain a unified view of their identity landscape, and consistently manage all identities, including privileged identities and access entitlements, based on defined company policies to meet regulatory compliance and access policy requirements.
- Stay up to date. Leverage a central identity provider to manage user authentication for application provisioning and de-provisioning so that SaaS console access is automatically removed when an employee leaves the organization or if their role changes within the organization. This is critical so that users can’t continue to access cloud services they don’t actually use or need. Implementing least privilege, in which all identities have only the minimum necessary entitlements to perform their ongoing responsibilities, is a best practice and makes it more difficult for attackers to escalate privileges. We’ll explore this further in our next post in this series.
A comprehensive approach to identity and privileged access management can help secure the human, machine, and application credentials used by your organization’s SaaS applications as well as your cloud-native applications built using DevOps methodologies. Learn more in our eBook, “Securing Privileged Access and Identities in 5 Key Cloud Scenarios.”