Software-as-a-Service (SaaS) delivers real business benefits, including reduced capital and operational overhead, continuous software updates, and simplified remote access. However, many IT decision-makers are concerned their organizations aren’t doing enough to secure cloud-based solutions.
In a recent study conducted by Vanson Bourne, 64 percent of IT decision-makers said their “organization’s SaaS adoption is outpacing their ability to secure it.” Almost all (91 percent) said their organizations must improve SaaS security before they can take full advantage of the cloud.
The cloud operates on a shared responsibility model, in which some aspects of security are handled by the cloud provider and others are left to the customer. With SaaS, the cloud provider shoulders most of the responsibility. However, the cloud provider can’t know what resources a particular user should be given access to, so the customer is responsible for identity governance.
Identity governance refers to the policies that establish the levels of access granted to various users and groups. At least one person will need administrator-level access to manage the application, and you’ll likely want to have a second administrator as backup. But granting all administrator-level privileges to all users is a recipe for disaster. Given the growing importance of SaaS solutions in day-to-day business operations, one compromised account or rogue insider could wreak havoc on an organization.
SaaS solutions vary greatly in the types of administrator accounts they offer and the level of access given to each type. Some SaaS solutions have only administrators and users, while Salesforce and Google’s G Suite have six types of admins as well as line-of-business roles. IT teams need to thoroughly understand the access afforded by these various account types before assigning them to users.
The inconsistent approaches to identity and access controls in SaaS solutions make it difficult to develop and apply identity governance policies across the entire environment. It can be helpful to break down access into user management and data management categories, with create, read, update, and delete actions. For example, help desk personnel need the ability to read and update user accounts (e.g., reset passwords), but should they be able to create and delete them? Should IT service administrators be able to create, update, or delete files
The point is that the concept of least-privilege access should be extended to SaaS solutions. Users should be granted the access they need to perform their jobs, and no more. And those accounts that have the highest levels of access should be given the highest levels of protection.
The CyberArk Core Privileged Access Security platform enables you to discover, secure, and manage privileged accounts across the enterprise, including on-premises, hybrid, and cloud environments. Granular access controls ensure authorized users have the access they need while automatic credential rotation makes it possible to regularly update privileged account passwords without impacting productivity.
With CyberArk’s Privileged Session Manager for Cloud, you can also monitor privileged user activities in leading SaaS and social media solutions. Privileged session isolation ensures privileged credentials are never revealed, and a detailed audit log enables faster incident response and improved regulatory compliance reporting.
Have your security controls kept pace with SaaS adoption in your organization? Let Clango’s CyberArk Certified Delivery Engineers help you take advantage of the CyberArk platform to protect and control privileged access in the cloud.
For more information about CyberArk’s Core Privileged Access Security platform and CyberArk’s Privileged Session Manager for Cloud, please send us an email at (firstname.lastname@example.org).