Any security leader understands the criticality of SaaS to their business, but few understand the risks associated with them.  SaaS Security Posture Management promises to finally deliver the proactive security business applications need.

There’s a new kid on the block when it comes to proactive security in the cloud. SaaS Security Posture Management or SSPM is a new security category created by Gartner that promises to enable organisations to continuously monitor their Software as a Service (SaaS) applications and to ensure these are configured correctly.

Related to Cloud Security Posture Management (CSPM), it describes a set of automated tools that provide visibility into the SaaS environment enabling the business to identify discrepancies between the security posture detailed in its policies and the real security posture to prevent data leakage or theft. In common with CSPM, SSPM creates an inventory of SaaS accounts and the access rights, permissions and entitlements of all users. Comparisons with the original configuration enable the solution to detect changes that could represent a security risk and address these.

SSPM breaks new ground in that it allows the business to automate the management of configuration and enforcement for application settings for hundreds of applications such as CX, HR, Marketing, CMS, and file-sharing application and but also high-end services such as Microsoft 365, Salesforce and Slack, which aren’t controlled by the organisation. 

SaaS shared responsibility

While governance of the SaaS application falls to the vendor, protecting the data and how it is accessed is the responsibility of the business. Often referred to as the ‘shared responsibility model’, this has driven the adoption of cloud security solutions over Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) cloud environments.

However, under SaaS, the vendor has ownership of a much larger chunk of the service offering as they govern the applications, O/S, network traffic, hypervisor, and infrastructure. The business only has governance over user access which means this can tend to be overlooked.

At this point, you may be thinking I already monitor my business applications using a Cloud Access Security Broker (CASB), which effectively monitors for issues across various cloud environments. While these do indeed address user access and data security, they operate at a much more peripheral level than SSPM, so they are unable to mitigate sophisticated attacks or complex configuration errors, and crucially they are reactive, so only kick-in when unauthorised access or data exfiltration has happened.

How SSPM works

In contrast, SSPM works proactively to prevent issues such as data leakage and non-compliance with industry regulations meaning it is complementary to CASB. SSPM prevents this by continuously monitoring all the SaaS applications in the cloud to spot policy or compliance violations through misconfiguration. It can also offer suggestions on how to improve configuration to reduce risk and even enable automated remediation.

Misconfiguration is a major cause of data breaches in the cloud. It was named the top threat in the State of the Cloud Security 2021 report, while the Cloud Configuration Risks Exposed report found that 90 percent of organisations were effectively left vulnerable to security breaches due to cloud misconfigurations. The complexity of the SaaS estate makes it highly susceptible to misconfiguration. As a result, 85 percent of infosecurity professionals cite SaaS misconfiguration within the top three security risks facing the enterprise today.

An SSPM solution is able to monitor a vast array of application configurations, from Identity and Access Management (IAM) to malware and data leakage, to access control and the enforcement of least privilege. Should an application be at risk of misconfiguration, the SSPM will trigger an alert together with contextual insights that determine the level of risk involved, allowing the security team to rapidly investigate and prevent a misconfiguration and a possible breach.

Because surveillance is continuous, this eliminates the problems associated with point-in-time assessments, and the SSPM provides complete visibility of the key SaaS solutions over a single dashboard. From here, the security team can also take a targeted approach, monitoring privileged users or specific activities, or can carry out forensic investigations.

Why it’s one to watch

Much like other recent advancements in the security space, SSPM takes a proactive stance that seeks to prevent incidents. It’s a significant milestone for SaaS security which has largely relied upon CASB, and as a result, Gartner has tipped the solution as one to watch, with significant uptake expected over the next five to ten years.