Forbes Tech Council - Zero Trust For SaaS Security: How To Get Started

This article was originally posted on Forbes as part of their Forbes Technology Council series.

‍

The average enterprise has a staggering 2,200 (or more) misconfiguration incidents a month in which data is exposed to the public, according to research from McAfee.

‍

As evidenced by that statistic, SaaS security is more important than ever. But traditional security models are no longer providing sufficient protection in today’s threat landscape. Data breaches due to unmanaged access fill the headlines daily, and no company—from Capital One to Marriott—is exempt from experiencing a breach.

‍

Thankfully, zero trust has emerged as a promising solution for addressing SaaS security. Zero trust is a security framework that operates on the principle that no one (whether inside or outside the organization) should be trusted by default. Instead, it requires continuous verification of identities and strict access control.

‍

Zero trust has proven to be an effective means of organizational access control, but adoption of the framework has been slow to take hold. A report from Cisco revealed that almost 90% of companies have begun implementing some aspect of the zero-trust security model, but only 2% have mature zero-trust deployments in place.

‍

Similarly, Gartner predicts that only "10% of large enterprises will have a mature and measurable zero-trust program in place by 2026." While enterprises are beginning to recognize the criticality of zero trust, implementation remains stagnant.

‍

The reason? Until relatively recently, security was more of a reactive than a proactive effort. But as organizations have moved to the cloud and drastically expanded their SaaS environments, taking a proactive approach to security has become a necessity. Cybercriminals are getting smarter and more effective by the day (IBM projects that the cost of cyberattacks on the global economy will exceed $10.5 trillion this year), and companies can’t afford not to adopt zero trust promptly.

‍

Furthermore, generative artificial intelligence (GenAI) is adding fuel to the fire. According to a survey by MIT Technology Review, 76% of enterprises are using GenAI in some way, which most often occurs in the SaaS layer. While this novel technology is undoubtedly driving innovation, it’s also creating new security risks. SaaS platforms with GenAI integrations can inadvertently cause data leaks, compliance issues and privacy violations if sensitive information makes its way into GenAI training models.

‍

The time to implement a zero-trust framework is now. Here are tips for getting started.

‍

Take inventory of the SaaS environment.

In order for a zero-trust framework to be effective, organizations first and foremost must be aware of all of the applications that exist in their SaaS environment. This is easier said than done.

‍

Visibility is the first step, but when applications number in the hundreds or thousands, it becomes a superhuman challenge. Companies need scalable solutions that help them identify and catalog their applications so they can gain insight into how they’re being used (more on this next).

‍

Understand the context of each application.

Once an organization has an inventory of its SaaS environment, it needs total context into how exactly those applications are being used. This requires real-time visibility into who is accessing which applications, from where and why. Based on this information, organizations can use behavioral analytics to detect anomalies like unusual access patterns or unexpected data transfers that could indicate security threats.

‍

Additionally, tracking application usage can tip organizations off to unmanaged or risky applications that may leave them vulnerable to attacks. Achieving total context in real time and across a vast number of applications and users requires solutions that securely leverage AI and machine learning (ML) techniques. Importantly, these solutions must also support business continuity and not hamper the benefits of SaaS.

‍

Put the proper controls in place.

After an organization has gained total context into application usage, it can put controls in place to enforce zero-trust policies. Ideally, access control should be dynamic and adaptive: Based on real-time data, the organization can quickly make decisions like whether to grant or deny a user access to a specific application, therefore cutting down on unauthorized access and minimizing the likelihood of an attack.

‍

Moving forward, zero trust will be critical for enterprises to secure their SaaS environments, especially as technologies like GenAI continue to proliferate. By taking inventory of their SaaS ecosystem, understanding the context of their applications and putting the proper controls in place, organizations can bolster their security posture without inhibiting the innovation and productivity that SaaS platforms provide.

‍