74% of Indian SMEs had to deal with cybersecurity incidents, according to the recent Cisco study. There are several ways of invasion by malicious actors found during the study – the workflow of 92% of small and medium enterprises were influenced by malware attacks, whereas 76% of companies were affected by phishing. 38% of hacked businesses blamed having no proper information security solutions installed in the system. Nearly the same percentage claimed that solutions wouldn’t be any help for tackling an attack.
One of the most popular problem concerning cybersecurity solutions appeared to be the difficulty of having all the technologies integrated for smart use.
The cloud allows a company to locate a great deal of data outside the corporate perimeter, whereas SaaS makes access to the needed tools quicker and easier. But what about security?
Gartner expects that by 2022 95% of cloud security breaches will be caused by users working with the cloud services.
There are solutions which ensure monitoring user activity with data in the cloud storages. Even though the data is in the cloud and can’t be governed and limited by the rules of the corporate perimeter, the solution will keep an eye on access rights to confidential data configured by specialists within the settings, documents are classified and any editing is monitored and alerted to, data management transparency in the cloud is guaranteed. A company can have its information encrypted when it leaves the corporate perimeter to secure sensitive data outside when it gets to the cloud.
SaaS vendor encryption offered to customers is not enough when it comes to data protection, as you have to rely on the vendor’s safety level, and when an attack affects the vendor, your data gets affected too. Taking your own encryption measures will let your business depend on your own established regulations.
The DLP system deployed in a company will help to track data transfer. The DLP software can come as a SaaS solution itself being deployed in the cloud, and in order to not trust a popular cloud service with all your data it is better to choose the cloud service provided by the DLP vendor. Vendors deploy their own system in their corporate cloud servers. Anyway, such respectable and proven cloud services as Microsoft Azure will be an option which a company can choose with a big share of confidence.
SaaS poses security challenges to any company using it
One of the major problems is that nowadays IT can’t be centralised on-site, it has to loose the grip of control and branch outside the perimeter allowing a company to purchase multiple quite “insubordinate” SaaS solutions. It’s complicated to manage all settings of every SaaS solution an average organisation deploys, as an average company uses over 100 SaaS applications. What’s easy to use – isn’t necessarily safe to use, the quicker we access and share data, the less obstacles there are for everyone else to do it.
Solutions delivered via the cloud are coded and re-coded, updated all the time, no one can be sure that every further update doesn’t omit a newly formed breach in security.
Also, settings don’t get changed simultaneously. You can’t keep up with external settings alterations and tweak your own in accordance with them every time a slight change is made, but that’s what needed to be done, there must be correct access privileges for those who can make changes in the settings and so that unnecessary changes aren’t made manually by anyone.
What should be done to use SaaS successfully?
Before moving to the cloud, a few questions should be answered:
- Why do you need the cloud?
- What data should be stored there and what activities should be conducted there?
- What is the most essential data in your company and should it be moved to the cloud?
- Do you choose a secure provider which complies with regulatory requirements?
- Is the responsible for correlating the corporate security level with the provider’s one assigned?
Remember to make sure that no corporate data stored in the cloud can be downloaded by a third party without authorisation. Pay attention whom you grant the access to, don’t send a link until you sure that the content can be viewed and used by public, otherwise, deny public access and indicate the users who are allowed to read the content.
To make your processes as safe as it can be in the cloud, make sure you’re aware of what cloud solutions and applications your company really needs, what data can be stored and monitored there, so that you be sure that your data doesn’t leave your company’s perimeter in excess.
Proper privileged access management is essential when allowing access to SaaS applications.
Segregation of Duties (SOD) is an inevitable and helpful approach to secure information usage in SaaS applications. It is important not to mess up configurations.
The chosen cloud deployment models and the way of their usage should meet regulatory requirements, standards and frameworks.
SaaS applications are to be available only to assigned users and authorised devices. Services rendered via the Internet are developed on the basis of a number of infrastructures and platforms, the construction within them is heterogenous – and so their providers are, who are responsible for their own part of work there, who manage occurring issues within their purview. This makes SaaS half provider’s responsibility for information security, half user’s.
The article has been written by Alexey Parfentiev, leading analyst at SearchInform