With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO’s architectural strategy?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Steve Zalewski who also hosts Defense in Depth.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, AppOmni
Get visibility to all 3rd party apps — and their level of data access — with AppOmni. Visit AppOmni.com to request a free risk assessment.
Full transcript
[David Spark] With the growth of business-led IT, does SaaS security need to be a specific focus in a CISO’s architectural strategy?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series, and my co-hosts – did you hear that? I added an S to the end of that. It’s plural. My co-hosts today are both the co-hosts for Defense in Depth. That would be Geoff Belknap, CISO of LinkedIn, and also Mr.
Steve Zalewski, he used to be the CISO over at Levi Strauss. Gentlemen, make some noise and identify yourself for a moment, for those people tuning in for the very first time. Geoff?
[Geoff Belknap] I’m Steve Zalewski. Welcome to Defense…
[David Spark] No, you’re not.
[Geoff Belknap] Are you sure?
[David Spark] Don’t do that.
[Geoff Belknap] My name tag… Oh, I’m Geoff Belknap.
[David Spark] There you go.
[Geoff Belknap] That’s it.
[David Spark] And Mr. Steve Zalewski, make some noise so people know the sound of your voice.
[Steve Zalewski] And I wish I was Geoff Belknap.
[Geoff Belknap] I guarantee you don’t, Steve.
[Laughter]
[Steve Zalewski] Hi, audience. How you doing?
[David Spark] The audience says great to see you, Steve. Our sponsor for today’s episode is AppOmni – unmatched security for your SaaS apps. We’re talking about that today. More about specifically what AppOmni is doing in securing your SaaS apps coming up a little bit later. So, today’s topic is building a security program for SaaS apps.
Steve, this is something that you posted about this very topic on LinkedIn asking how does security get involved with applications that the business often procures on its own, or as you called it, business-led IT? Other variations we’ve all heard are shadow IT or consumerization of IT. Now, is the problem the architecture of the applications themselves or the fact that a non-security group is bringing these applications online?
Or as I’m guessing, it’s probably both. I don’t know. What do you say, Steve?
[Steve Zalewski] So, I would say in the end, it’s both. But it’s the journey that we’re on that I don’t think we’re done with yet, that even now from the time I posted to today, is to be able to realize that SaaS, when I first thought about this, was all right, you’ve got all your traditional infrastructure, like Geoff does at LinkedIn, and now you’ve got this SaaS stuff that’s coming online.
So, therefore I can’t use my same infrastructure. The business is bringing in is this an opportunity to look at SaaS and understand how much I have to do and when. But more and more, what I think we want to talk about today too is the fact that you almost have to consider SaaS a completely separate environment as a security practitioner because more and more companies are selling SaaS products, so they have to figure out to have the SaaS in addition to the traditional security infrastructure.
[David Spark] Well, we’re going to discuss this very topic today. This is normally where I introduce our guest but there is no guest because it’s a triple co-host show.
[Geoff Belknap] A triple co-host show.
[David Spark] Can you do that?
[Geoff Belknap] Triple co-host.
[David Spark] Does co mean two? No. You can co three, four, five.
[Steve Zalewski] A trifecta.
[David Spark] Yes. That’s it.
[Steve Zalewski] That’s a trifecta.
What’s going on?
3:04.466
[David Spark] Misha Seltzer of Atmosec said, “An organization’s SaaS ecosystem becomes more complex and difficult to understand as it grows larger. SaaS doesn’t stay secure over time.” I think, by the way, that speaks to everything. Nothing stays that way. And Simon Goldsmith of OVO said, “SaaS security by design is getting better.
Security and privacy by default falling woefully short.” The privacy angle of that I think is very true. And lastly, Abhishek Singh of Araali Networks said, “The final part is visibility into the vendor’s posture. A good vendor will not only continuously monitor their environment but also share the results continuously with you.” Geoff, I’m beginning with you on this.
Let’s start with that. Are there SaaS vendors that continuously share their environment that makes your job easier?
[Geoff Belknap] I don’t know. I can’t think of any that do it to that degree.
[David Spark] I can’t either but it sounds awesome if it did.
[Geoff Belknap] That sounds amazing. I definitely want to talk to you if this is what you’re doing as a SaaS vendor. I think Misha is probably most accurate here in that – and I think it’s Phil Venables that wrote recently information wants to be free. And I think the way I interpret that is it feels like the inertia of every system, whether it be SaaS, IaaS, or PaaS, just generally tends to less and less secure.
Which is why, and I think you’ll both agree, that I’m a large advocate for it should be secure by default, it should be difficult to implement insecure or less secure options, they should be there, but it should be challenging. And I think that would help inertia go the right way, which is by default these things become more secure, and I generally see signs that the industry is headed that way.
[David Spark] Steve? We will definitely get into the whole angle of configuration which very much comes up in this discussion, but three issues here. The fact that security changes over time, usually for the worst. That there are major privacy issues here, and wouldn’t it be wonderful if these SaaS vendors would continuously monitor their environment and share that information with us.
And it seems that Abhishek believes this exists. I don’t know, maybe it does.
[Steve Zalewski] So, from Abhishek’s perspective, and I think Geoff and I see this is, okay, third-party risk management, vendor security assessments, okay, that’s the conversation. Which is how do I have a broker that I can exchange information with that Geoff is willing to believe that that broker has good data about me.
Okay? That’s where we’re starting to get to. Is more and more SaaS is more and more integration with third party, so therefore how do I trust if I’m going to buy that third-party product as a SaaS vendor. And B, and that’s the vendor security assessments, and then B, it’s the, okay, for all the things that are in my environment that are third-party SaaS, how do I know what’s risky?
So, again, a CISO more and more, and that’s what I was driving at, has two roles. They have the role as a Fortune 500 to protect their company, and then they have a role as a SaaS vendor, like many out here in the Bay Area are, where their job is to be able to close the sale on the SaaS product that they’re selling, be it security or biotech or fintech.
And so there’s that bifurcation going on that’s making it more challenging around the security’s getting weaker over time. I think it’s because our, once again, our perimeter is expanding and we’re not really realizing what’s transpiring.
Is this problem solvable?
6:58.325
[David Spark] Jerich Beason, CISO over at Capital One, said, “CASB solutions were introduced to help us identify usage of SaaS and maybe even detect security events in our SaaS apps, but they don’t prevent the misconfiguration in the first place. Most organizations have hundreds of sanctioned and unsanctioned apps with unique configuration and user management options.” Marcos Marrero who’s CISO over at H.I.G.
Capital said, “Ensure your web endpoint protection, gateways, proxies, and/or firewalls are feeding telemetry to your CASB. I cannot overstate how critical this step is. It’s going to give your SaaS usage baseline. Design your policies governing SaaS usage based on the inventory from your first step.
Use your existing security controls or CASB to enforce said policies.” All right. This is all basically advice around CASB and what it can and can’t do. How do you add to this? Where does the CASB sort of play in the SaaS security solution? Steve.
[Steve Zalewski] Yesterday’s solution to yesterday’s problem is what it was. Okay? It’s another case, a point in time, when CASBs came out and WAFs were showing up. We were trying to get visibility into what our SaaS application suite looks like. Not our AppDev app SaaS environment, right, but our bought products.
And that was great. But what we’re seeing now with SBOM and everything else is that was a simplistic view of simply getting visibility into the SaaS apps that my business was using, and that’s not the problem we’re really trying to solve today.
[Geoff Belknap] Yeah. I feel like there was a time very early in the SaaS journey that we all went on where we just had zero visibility into what was going on in that cloud product and it terrified a lot of us, and CASB was a great solution for that. I think where the industry is going is much more positive in that in the early times, there was no audit log, no API, we had zero information we could get programmatically or manually to tell us when things were configured correctly or not or we had user provision in a certain way.
Now we’ve come a lot further. Like in the last 10 years, we’ve come a lot further. Most SaaS products have those features built in and they’re good and they work well.
The challenge we kind of have now is there are so many SaaS applications that we’re dealing with, it is very difficult to consistently manage security across all of those because there’s no consistent API that they all have relative to security, safety, or privacy functions. What a lot of SSPMs and other – I think it’s like CSPM is the other acronym in the space – where security technology has taken us is now there is a variety of solutions, great solutions that will talk to all of those APIs for all your SaaS products and help you understand what your posture is across all of them, and I think that’s great.
We’re in a much better position than we used to be. It would be better if we consolidated down to one standard for all these things, but I, honestly, I think that’s where we’re going to end up.
[Steve Zalewski] So, let me play on that a little bit more. Right? Which was CASB’s was, “Let me at least see the problem because I lost my perimeter which was my traditional, right, data center perimeter. I lost my perimeter with all the SaaS.” So, my first thought was I can’t protect what I can’t see, so let me get some visibility, let me do some discovery, but then the hard problem was, well, so what, now what?
Now that you’re showing me more problems, you haven’t given me the opportunity to solve them. You haven’t taken that responsibility off my plate.
And now what Geoff just said was and now SaaS took on another perspective, right? All of a sudden, we’re looking at it in a different way, and we’re back to, well, first I need visibility and I can do discovery, but then I have to do something about it. And so with all the APIs out there for all the SaaS apps, they’ve given us a great way to export information that we’re going to have to mine from a security perspective, but what we have is just a bigger data lake that will potentially tell us about more needles, but I think as CISOs and as an industry, we’re now realizing that’s not what we want, right?
More and more from a SaaS perspective, we’re saying don’t show us more problems. Come to the table with what problems you can take off my plate. And that’s where we’re struggling now because we’re still in that visibility, discovery, maturity…
[David Spark] I go to Abhishek Singh’s suggestion.
[Steve Zalewski] Yep. That’s what I mean. This is why when I said earlier was this is such a great topic because it’s morphing. The question is still valid, the responsibility of the CISO, right?
[David Spark] Let me also point out that because of certain issues, we’re actually recording this way ahead of time, like we’re recording this in February and this is going to be airing in July. So, it’s possible the next five months, there’ll be some spectacular discovery here.
[Geoff Belknap] I am sure we’re all going to go to RSA, or I’m sure at this point we’ve all been to RSA.
[David Spark] Yes.
[Geoff Belknap] And Steve and I and probably Andy and others are all just beside ourselves that this problem has been solved by whoever wins Best of Show at RSA. We’re so impressed. Good job. Good job, everybody. But the reality is, you know what? I think this all comes back to the original topic of the show which is do you need to have a SaaS-specific strategy and I think the short answer is yes.
You can’t just treat your SaaS like something else is going to cover it. You need to have a specific strategy to address the proliferation of products that your business finds essential and a way to secure and monitor those.
Sponsor – AppOmni
13:00.145
[David Spark] All right, we’ve been talking a lot about SaaS security and guess what? AppOmni can very much help in that space. They’re our sponsor for today’s episode. Now think about the enterprise SaaS platforms your organization uses to get vital work done. You got Salesforce, Workday, Microsoft 365, or Google Workspace.
Everyone’s in something like that. Do you know which SaaS apps are connected to them or the data these apps can access? After all, the average SaaS environment has more than 40 different SaaS-to-SaaS apps connected into it, and each one offers a new data access point to your major SaaS platforms. That means a single compromised SaaS-to-SaaS app can give threat actors the in they need to access sensitive data stored in your SaaS ecosystem.
But AppOmni can help. Yep.
With AppOmni, you can gain visibility to all your SaaS apps and SaaS-to-SaaS connections. You’ll have a complete inventory of every connected SaaS app in your SaaS ecosystem. And you’ll know when end users have enabled SaaS-to-SaaS apps and the level of data access each app has been granted. See what’s connected to your SaaS platforms and what vulnerabilities SaaS-to-SaaS apps may have introduced.
Go to their site, that’s appomni.com today. Do it today. I don’t want you to wait until tomorrow. Do it today to request a free risk assessment. Trust me, I’ve talked to them about this. It is amazing what you’re going to discover and I know a lot of sponsors offer this. You got to take them up on this.
Really. You need to know what’s going on in your environment. Go to appomni.com. Request that free risk assessment and be in the know with your SaaS environment.
What aspects haven’t been considered?
14:53.715
[David Spark] Duane Gran of Converge Technology Solutions said, “What I’ve been doing is using DNS for discovery to sniff out frequently used applications and build relationships between security and business groups. We analyze together if the SaaS offering protects our brand effectively and make a determination about its risk and in most cases, it becomes an approved application.
This is slow and I worry that new applications emerge quicker than our efforts are to secure them.”
And Harold Byun of AppOmni said, “Look at the risks associated with SaaS from an attack surface perspective. Most often, the SaaS attack surface gets exposed through misconfigurations. SaaS data leakage gaps are not extended kill chain events and are much more likely to be simplistic ‘smash and grab’ operations.
What this means is that traditional tooling and threat detection do not apply and will only provide visibility after the data has already been taken.”
And Andrew Sweet, also of AppOmni, said, “Target your top three largest SaaS deployments, operationalize there, and begin a solid foundation to standardize and scale from.” I kind of like that last tip right there of, I mean, Duane starts with sniffing what do we have, and the last guy says, “Just start with what you know, the three big ones, and if you figure that out, then you can figure everything else out.” Is that good advice right there, Geoff?
[Geoff Belknap] Yeah. I think that’s great advice. In fact, this whole segment is really well done. Congratulations, producer, great job. I think Duane and Andrew have the fantastic beginnings of if you’re starting from scratch and you need to put together a SaaS security strategy, here’s what you do.
You start, as Andrew says, with your largest deployments, the ones you know about, your CRM solutions or ERP solutions or just like your email and calendar which is almost certainly SaaS if you’re a modern company, and you start to address those and make sure you can be standardized and you come up with your policies.
Then you’re going to use, whether it be a DNS or some other solution, to figure out where are all your other SaaS products. I recommend your identity provider, whatever you’re doing, whether that be Azure or Okta or something like that. Those are going to have logins and those are going to be preconfigured for all the SaaS products that you know that you’re paying for, but that’s a great place to start understanding where you can extend your strategy to next.
And then you can really dig into, like I said, there’s a rabbit hole of each one of these things, for what is my standard baseline SaaS security policy, what do I want to enforce everywhere, whether that be session timeouts or passwords or MFA or SSO, whatever it might be. Then you can extend that out to your major SaaS platforms, and then you can start applying it because it’s not going to be able to be applied consistently everywhere.
But you can start figuring out how you apply consistently to the… Here’s my guess, and this is no exaggeration, you probably have hundreds of SaaS applications even if you’re a small business, and you probably know about half of them. Now you need to figure out where the rest are and how you need to protect them and ta-da!
You now have a SaaS strategy.
[David Spark] Simple as that.
[Geoff Belknap] And a lot less hair.
[David Spark] What do you think, Steve? That simple?
[Steve Zalewski] Can’t argue with anything that Geoff said, but I want to add a little color around some of the assumptions or expectations are for Geoff to succeed that were all challenging.
[David Spark] Geoff does the play by play, color commentary by Steve Zalewski. Go ahead.
[Geoff Belknap] There you go. I’m Tony Romo. That’s right.
[Steve Zalewski] The first thing is the three largest SaaS applications. What you’re basically saying is where’s my business impact analysis? Where is that document that the company’s supposed to have to tell me what’s most important to the company to protect? What’s making the money? Where’s my brand?
Because if you want me to guess, I can guess on what the three SaaS apps are. But the whole point here is we’re supposed to be agreeing on what’s key to the business so that I can put the right emphasis on the right problem. Okay? That’s one.
Two, prevent controls. Right? We’re going to try to prevent, like Geoff said, Okta, okay, your DNS. Let’s go put the right preventative controls so that the bad guys can’t get in. So, let’s do everything we can on the front end for SaaS to do it right. That’s where CASBs led to Okta and others. Okay?
Good. But the last thing we always say is, “But the bad guys are getting in. There’s no doubt.” So, where’s the resiliency? Where’s the realization that we do have to look at the kill chain and be able to understand when there’s a compromise and stop it. And in doing that, I’m going to do a little maverick thinking, right?
Which is Geoff and I can look at each other and go, “Hey, Geoff. Your SOC and your SIEM. Is that your most efficient and effective group of people and value, or is that one that we always struggle with?” So, maybe a SaaS, we actually rethink our SIEM and understand that maybe we do something like a HISOC, human identity SOC, where we rethink what we’re loading in there to understand where the key threat attacks are, right, human based and not keep doing what doesn’t work.
[Geoff Belknap] I’m also a fan of just doing what doesn’t work over and over again. I think that’s a winning strategy.
[Steve Zalewski] Oh. So, you’re an auditor now? Oh, okay.
[David Spark] Don’t take this advice!
[Laughter]
[Geoff Belknap] Sorry. We’ve veered into “What’s Worse?”
[David Spark] Exactly.
[Geoff Belknap] Wrong show, wrong show.
What’s the motivation to fix this problem?
20:33.904
[David Spark] So, this last segment here is what if the whole SaaS thing just blows up in your face? What protection do you have for that? So, Gaurav Banga of Balbix said, “What technical controls can you put in place to mitigate risk from apps you deem risky?” Or maybe you just don’t know about? “Assume one of these third-party vendors is breached.
How will your controls limit your data and operational exposure?” Steve, I think there was some reference to solutions here but a lot of the talk was dealing with the apps directly, but when they implode on you through a breach that may or may not be of their doing, what’s your ability to control the blast radius?
[Steve Zalewski] Yes. And now what we just did was all of a sudden we’ve turned the sphere again and we got another perspective. Which was not just what SaaS apps do I have, not ones are risky, but it was the containment. It was what I started to talk about about the value of your SIEM to not tell you what happened three months ago but to tell you what’s happening right now.
So, in the event one of those SaaS vendors is compromised, okay, or data that you’ve placed there has been compromised, how do you reestablish the integrity, get to known good, and then go manage the putting back of the parts that are known bad. Right? Identifying known good, known bad.
And I think that’s where Gaurav is going and I think that’s what we’re going after with SaaS here is you’ve got to think of it as a separate line of business almost, and you have to build, right, a perimeter understanding that most of this stuff you can’t directly impact. I can’t get inside those SaaS apps.
What I have to do is break the connections and understand how the data flowed and where the integrity challenges are so that the business doesn’t make bad decisions on bad data. Let them make bad decisions on good data. That’s my job.
[David Spark] Do you think about this as, I mean, I know you think about this, Geoff, but how does your mindset strategize of like, all right, this aspect of the business shuts down or our data’s leaked, how do we deal with damage control? Do you think about that per app or do you have a general policy?
How does that work?
[Geoff Belknap] I think, well, very broadly, you do business continuity and disaster recovery planning which is designed to work regardless of why data or a critical process might be missing, whether it be natural disaster or breach or maybe one of these companies you rely on just went out of business all of a sudden.
[David Spark] Hopefully they gave you warnings.
[Geoff Belknap] Well, you never know, or maybe there’s a pandemic or an endemic issue and you didn’t get any warning. If you do business continuity planning and you practice and you’re a mature organization, this is relatively straightforward. Now there are plenty of people that don’t do this well, and they should work on this.
But you don’t necessarily need to buy any software or do anything fancy other than just do some planning and do some thinking and run some exercises.
I think the other aspect of this though that Gaurav is getting into is you can start to think of controls you put in place to defend your business if one of your SaaS providers was attacked or went out of business or whatever it might be. But the reality is your business probably is not going to go out of business, right?
So, if your – let’s use something that has happened before – if your payroll processor gets breached. You’re probably not going to stop processing payroll as a result of that. Now there might be an issue here of disclosure and something like that that you’re going to handle sort of in parallel, but in most cases, you’re not going to be prevented from working this business process you need to run at a regular basis.
The reality is you’re going to be dealing with some other kind of damage to your business or maybe you might delay your payroll or something like that. But I think the reality is most people’s business processes are fairly robust.
Now if you’re small, I think you really then have to put some thought into what you’re going to do if you lose access to one of these providers. But I don’t find that in most cases you need to do something exotic like homomorphic encryption or something like that to protect your data against breach.
You just have to protect your business and the processes that are essential against the lack of availability of one of these services.
[Steve Zalewski] So, let me lay on top of that, right? There’s two ways to look at this, with what Geoff said. And I think about this from my Levi’s days. There’s the, okay, I manufacture jeans, so how does a SaaS breach impact my ability to manufacture and deliver jeans to sell them. So, the traditional supply chain of my manufacturing.
And then there’s the SaaS side, right, which is, well, wait a minute. I’ve got a whole bunch of cloud applications, cloud infrastructure, AWS, IAS, and now what happens if a piece of that gets breached? What’s the implication? So, I actually have two different jobs.
And disaster recovery, the thing I always use as an example is when I was at Levi’s, Maersk got hit. Everybody remember that? And Maersk had to shut off their entire IT infrastructure. Sixty percent of my product is transoceanic. So, when you practice business continuity, nobody’s thinking about the fact that all of a sudden I don’t have the data on where all of that manufacturing components are to get them to factories, to get them to everywhere else, so I’m blind.
And then the second thing is and how is all that data now integrating into all my SaaS apps, okay, for my data scientists to be able to do their work to try to do planning for the next 90 days as we get ready for the Christmas rush. That’s where I think people aren’t understanding is, when Geoff was very right around disaster recovery and business continuity and practicing, is understanding there really are two ways that you now have to look at the problem and you have to do it now.
Because if you don’t, when the Maersk thing happened and all of a sudden people were understanding the implications to the IT infrastructure as well as the manufacturing infrastructure, it was an aha moment.
[David Spark] All right. That’s pretty darn good.
Closing
27:10.209
[David Spark] And we’ve come to the point in the show where I ask both of you give me your favorite quote and why. Geoff, which quote was your favorite and why? Lots of good stuff on this one and we referenced it all the time.
[Geoff Belknap] Lots of fantastic stuff here. I feel like I’m going to go with Misha Seltzer from Atmosec, “An organization’s SaaS ecosystem becomes more complex and difficult to understand as it grows larger. SaaS doesn’t stay secure over time.” And I think, while I slightly disagree, I think SaaS actually can stay relatively secure over time, but I think the human nature is to do things expeditiously and to not always understand the complex interconnectivity between a lot of these applications that people use, it can be very challenging if you don’t have a solid strategy and some solid tooling to support that strategy to keep your SaaS infrastructure secure.
It is not going to do it on its own.
[David Spark] Good point. Steve, your favorite quote and why.
[Steve Zalewski] So, I’m going to go a little different than I normally do. I’m going to go with Harold Byun from AppOmni. What got me was SaaS data leakage gaps are not extended kill chain events. And part of what we talked about here was, well, SaaS is different. You got to run it as a separate business almost.
So, you got to think about the kill chains and what you can do for the different types of SaaS applications and business requirements that we talked about. So, I liked it because it was the, well, let’s not throw controls out there. Let’s not just go for visibility, right? Let’s not acknowledge what we don’t have.
Let’s think about the business impact. Let’s look at the kill chain and what can I do to identify when something bad is going on and kind of think of it from there and then back into what you have to do.
[David Spark] Excellent. Thank you very much, Steve. Thank you very much, Geoff. Thank you very much, our audience. And thank you to our sponsor. That would be AppOmni. Check them out at appomni.com. Remember, appomni.com, unmatched security for your SaaS apps. That’s it. As always, we greatly appreciate your contributions.
And if you see an amazing discussion online, ideally on LinkedIn, it’s always best there when I know the actual people who make the comments, please let us know and we can, in many cases, turn it into a great episode of this very show. So, thanks again for your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.