Tips for Securing SaaS Applications in Organizations

If I were assessing a high risk SaaS vendor here are 8 things I would ask for: 𝟭. 𝗖𝗼𝗻𝘁𝗲𝘅𝘁 𝗶𝘀 𝗞𝗲𝘆 First, I would understand what they do for my company. What data do they collect, what access do they have, what services do they provide? I would let that context steer how deep I dive. 𝟮. 𝗦𝗢𝗖 𝟮, 𝗜𝗦𝗢 𝟮𝟳𝟬𝟬𝟭, 𝗼𝗿 𝗘𝗾𝘂𝗶𝘃𝗮𝗹𝗲𝗻𝘁 I would ask for their third party audits. I would read the reports to see if they engaged a reputable firm. I would see if the scope, audit period, and controls are applicable to me. This will prevent me needing to ask for basics like copies of policies. 𝟯. 𝗣𝗲𝗻𝗲𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗧𝗲𝘀𝘁 I would get a copy of their latest penetration test. I would look at the scope, when it was performed, who performed it, and track down any findings. It is important to make sure the pentest covers the product/network that matters to you. 𝟰. 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗦𝗰𝗮𝗻𝘀 I would get a sample of 3 months of vulnerability scans including the latest month results. Both network and application level scans. I would make sure they have the right coverage and that there are no red flags. 𝟱. 𝗩𝗲𝘁 𝗔𝗻𝘆𝗼𝗻𝗲 𝘄𝗶𝘁𝗵 𝗔𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝗠𝘆 𝗦𝘆𝘀𝘁𝗲𝗺𝘀 I would want to make sure that anyone with access to my systems are appropriately vetted. That likely means via a background screening and qualification requirement in contract. If they are getting remote admin access to my network I probably want to vet them myself or have my company be in on the screening. 𝟲. 𝗣𝗿𝗼𝗼𝗳 𝗼𝗳 𝗦𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 If the company is mission critical to my business, I may request some evidence that the company is stable. Up to and including audited financials, reserving rights to the source code if the company goes bankrupt, or equivalent. This is rare, but important when applicable. If it is serious enough, you may even ask to speak with executives and get commitments directly. 𝟳. 𝗖𝗼𝗺𝗽𝗮𝗻𝘆 𝗜𝗻𝘀𝘂𝗿𝗮𝗻𝗰𝗲 This is just housekeeping for most companies, but I want to make sure they are insured. I am looking for the typical General Liability, E&O, Cyber, etc. at acceptable limits. 𝟴. 𝗟𝗶𝘀𝘁 𝗼𝗳 𝗧𝗵𝗶𝗿𝗱 𝗣𝗮𝗿𝘁𝗶𝗲𝘀 𝗮𝗻𝗱 𝗦𝘂𝗯-𝗣𝗿𝗼𝗰𝗲𝘀𝘀𝗼𝗿𝘀 I may ask for a list of my vendor's critical third parties. I want to be sure that they are using credible vendors that may impact me. I would pay close attention to things like technology providers, contractors, anyone who processes my data, etc. --- Anything you would add to this list?

𝐘𝐨𝐮 𝐂𝐚𝐧’𝐭 𝐒𝐞𝐜𝐮𝐫𝐞 𝐒𝐚𝐚𝐒 𝐀𝐩𝐩𝐬 𝐘𝐨𝐮 𝐃𝐨𝐧’𝐭 𝐔𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝 Every SaaS application brings unique risks—but most risk assessments treat them all the same. That’s like using one master key for every lock in your enterprise. 🔍 𝟒𝟑% 𝐨𝐟 𝐒𝐚𝐚𝐒 𝐚𝐩𝐩𝐬 𝐚𝐫𝐞 𝐚𝐝𝐨𝐩𝐭𝐞𝐝 𝐰𝐢𝐭𝐡𝐨𝐮𝐭 𝐈𝐓’𝐬 𝐤𝐧𝐨𝐰𝐥𝐞𝐝𝐠𝐞 🔍 𝟓𝟔% 𝐡𝐚𝐯𝐞 𝐨𝐯𝐞𝐫𝐩𝐫𝐢𝐯𝐢𝐥𝐞𝐠𝐞𝐝 𝐢𝐧𝐭𝐞𝐠𝐫𝐚𝐭𝐢𝐨𝐧𝐬—𝐞𝐚𝐜𝐡 𝐚 𝐩𝐨𝐭𝐞𝐧𝐭𝐢𝐚𝐥 𝐛𝐫𝐞𝐚𝐜𝐡 𝐩𝐚𝐭𝐡 🔍 𝐀𝐩𝐩-𝐬𝐩𝐞𝐜𝐢𝐟𝐢𝐜 𝐦𝐢𝐬𝐜𝐨𝐧𝐟𝐢𝐠𝐬 𝐭𝐚𝐤𝐞 𝟗𝟎+ 𝐝𝐚𝐲𝐬 𝐭𝐨 𝐜𝐚𝐭𝐜𝐡 Generic scans miss what matters: 𝐭𝐡𝐞 𝐝𝐢𝐬𝐭𝐢𝐧𝐜𝐭 𝐫𝐢𝐬𝐤 𝐩𝐫𝐨𝐟𝐢𝐥𝐞 𝐨𝐟 𝐞𝐚𝐜𝐡 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧. 𝐎𝐮𝐫 𝑨𝒑𝒑𝒍𝒊𝒄𝒂𝒕𝒊𝒐𝒏-𝑺𝒑𝒆𝒄𝒊𝒇𝒊𝒄 𝑹𝒊𝒔𝒌 𝑨𝒔𝒔𝒆𝒔𝒔𝒎𝒆𝒏𝒕𝒔 𝐝𝐞𝐥𝐢𝐯𝐞𝐫 𝐩𝐫𝐞𝐜𝐢𝐬𝐢𝐨𝐧: ✅ 𝐏𝐞𝐫-𝐚𝐩𝐩 𝐯𝐢𝐬𝐢𝐛𝐢𝐥𝐢𝐭𝐲 – Not just "you have Salesforce," but "your Salesforce has 3 overprivileged customer data access rules" ✅ 𝟖𝟓% 𝐟𝐚𝐬𝐭𝐞𝐫 𝐫𝐢𝐬𝐤 𝐫𝐞𝐝𝐮𝐜𝐭𝐢𝐨𝐧 – Because we prioritize this app’s critical flaws, not hypotheticals ✅ 𝟗𝟑% 𝐬𝐡𝐨𝐫𝐭𝐞𝐫 𝐚𝐮𝐝𝐢𝐭𝐬 – Real-time scoring of application-level compliance gaps 𝐇𝐨𝐰 𝐖𝐞 𝐃𝐨 𝐈𝐭: 1️⃣ 𝐀𝐩𝐩-𝐛𝐲-𝐚𝐩𝐩 𝐫𝐢𝐬𝐤 𝐦𝐚𝐩𝐩𝐢𝐧𝐠 (Okta ≠ GitHub ≠ Workday) 2️⃣ 𝐀𝐮𝐭𝐨-𝐝𝐞𝐭𝐞𝐜𝐭 𝒂𝒑𝒑𝒍𝒊𝒄𝒂𝒕𝒊𝒐𝒏-𝒔𝒑𝒆𝒄𝒊𝒇𝒊𝒄 𝐦𝐢𝐬𝐜𝐨𝐧𝐟𝐢𝐠𝐬 – Like Salesforce sharing rules or Zoom recording settings 3️⃣ 𝐆𝐮𝐢𝐝𝐞𝐝 𝐡𝐚𝐫𝐝𝐞𝐧𝐢𝐧𝐠 𝐟𝐨𝐫 𝐞𝐚𝐜𝐡 𝐚𝐩𝐩’𝐬 𝐮𝐧𝐢𝐪𝐮𝐞 𝐫𝐢𝐬𝐤𝐬 The outcome? 𝐅𝐞𝐰𝐞𝐫 𝐬𝐮𝐫𝐩𝐫𝐢𝐬𝐞𝐬, 𝐟𝐚𝐬𝐭𝐞𝐫 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐜𝐞, 𝐚𝐧𝐝 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐡𝐚𝐭 𝐚𝐜𝐭𝐮𝐚𝐥𝐥𝐲 𝐦𝐚𝐭𝐜𝐡𝐞𝐬 𝐡𝐨𝐰 𝐲𝐨𝐮 𝐮𝐬𝐞 𝐒𝐚𝐚𝐒. 👉 𝑆𝑒𝑒 𝑎𝑝𝑝𝑙𝑖𝑐𝑎𝑡𝑖𝑜𝑛-𝑠𝑝𝑒𝑐𝑖𝑓𝑖𝑐 risk analysis in action: https://lnkd.in/eEGpna8T #SaaSSecurity #AppSec #RiskAssessment #SaaSGovernance Connect/Follow Me 👉🏼 Vishal Chawla Browse My Content 👉🏼 #BluOceanCyber Sign up for Our Newsletter 👉🏼 https://lnkd.in/eyAzr_2E

Understanding shared responsibility for Software as a Service (SaaS) is crucial for Small and Medium-sized Businesses (SMBs) to maintain robust cybersecurity. Here are key tips to help SMBs grasp this concept: 1. Grasp the Shared Responsibility Model The shared responsibility model divides security tasks between the cloud service provider (CSP) and the customer. For SaaS, the CSP handles security of the cloud, which includes infrastructure, data center security, and the application itself. The customer is responsible for security in the cloud, covering aspects like user access management, data protection, and compliance with internal security policies. 2. Focus on User Access and Data Security SMBs need to implement strong user access controls. This includes:   - Identity and Access Management (IAM): Ensure only authorized users have access to specific data and applications.   - Multi-Factor Authentication (MFA): Add an extra layer of security to user logins.   - Data Encryption: Encrypt data both at rest and in transit to protect sensitive information. 3. Continuous Monitoring and Compliance SMBs should continuously monitor their SaaS environments and ensure compliance with relevant regulations:   - Security Monitoring Tools: Use tools to monitor activity within SaaS applications for unusual behavior or potential security threats.   - Regular Audits: Conduct regular security audits and assessments to ensure compliance with industry standards and regulations.   - Compliance Management: Stay updated on regulatory requirements and ensure the SaaS provider complies with them, while also meeting your own internal compliance standards. By understanding these elements, SMBs can effectively manage their responsibilities in the shared responsibility model, ensuring a secure and compliant SaaS environment. For further assistance and strategic planning, consider consulting services like those offered by CPF Coaching LLC, which can help improve and mature your information security processes.

I recently came across a blog detailing an alleged compromise of a ServiceNow instance through the use of stolen credentials via side_door/login.do. In this case, the affected instance didn’t have multi-factor authentication (MFA) enabled for local logins. SaaS Security is a shared responsibility - small decisions/actions on the customer side can have a big impact. If you’re a ServiceNow customer, imagine me screaming this, standing on top of a table in your office with a megaphone: 1. TURN ON PLATFORM MFA FOR SIDE DOOR/LOGIN.DO 🗣️ 2. MONITOR YOUR LOCAL ACCOUNTS 🗣️ There’s no reason to not do this. The only edge case I’ve seen where you shouldn’t is if you have some RPA process using it, and even in that case you can still turn on MFA and have the RPA user as an exception (not ideal, but better than no MFA for anyone local). LASTLY, if you are a PARTNER, please take this seriously and add it to your standards for implementation. Ask these questions in workshops. Do the right thing. Article coming soon from me on more complex implementations of using adaptive auth to harden local logins even more. Follow me if that sounds interesting to you 🕵️ #servicenow #servicenowsecurity #servicenowplatformsecurity #mfa #servicenowcommunity

𝟵 𝗦𝗮𝗮𝗦 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆 𝗮𝗻𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗕𝗲𝘀𝘁 𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀 Identity and Access Management (IAM) for #SaaS ensures that only authorized individuals can access the necessary tools and information in cloud-based applications. Without effective #IAM, unauthorized users may gain access to sensitive data, leading to data breaches and potential financial losses. Furthermore, inadequate IAM can result in compliance violations, as many industries have stringent regulations regarding data protection and privacy. Additionally, the lack of a robust IAM system can hinder productivity, as employees may struggle to access the resources they need, ultimately impacting overall business performance. Tighten Up Your SaaS Security with 9 Best Practices: 𝟭. 𝗠𝘂𝗹𝘁𝗶-𝗙𝗮𝗰𝘁𝗼𝗿 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 (𝗠𝗙𝗔): MFA adds an extra step beyond passwords, like a code sent to your phone. 𝟮. 𝗥𝗼𝗹𝗲-𝗕𝗮𝘀𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗥𝗕𝗔𝗖): RBAC gives access based on job roles. 𝟯. 𝗟𝗲𝗮𝘀𝘁 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲: A security principle that involves granting users the minimal levels of access—or permissions—needed to perform their job functions. 𝟰. 𝗥𝗲𝗴𝘂𝗹𝗮𝗿 𝗔𝘂𝗱𝗶𝘁𝘀 𝗮𝗻𝗱 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴: Regularly checking who has access and how they use it helps catch issues early. 𝟱. 𝗦𝘁𝗿𝗼𝗻𝗴 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗣𝗼𝗹𝗶𝗰𝗶𝗲𝘀: Complex passwords with a mix of letters, numbers, and symbols, along with mandatory changes, significantly reduce unauthorized access risks. 𝟲. 𝗦𝗶𝗻𝗴𝗹𝗲 𝗦𝗶𝗴𝗻-𝗢𝗻 (𝗦𝗦𝗢): SSO lets you access multiple applications with one login, simplifying the process and reducing password fatigue. 𝟳. 𝗔𝗣𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆: Secure APIs ensure different applications can communicate safely. This protects against unauthorized access or data breaches. 𝟴. 𝗥𝗲𝗴𝘂𝗹𝗮𝗿 𝗔𝗰𝗰𝗲𝘀𝘀 𝗥𝗲𝘃𝗶𝗲𝘄𝘀: Regularly review access to applications to ensure only authorized users can enter. 𝟵. 𝗘𝗺𝗽𝗹𝗼𝘆𝗲𝗲 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴: Educating staff on security best practices helps prevent breaches. Incorporating these best practices can significantly enhance the #security of your SaaS environment, ensuring that sensitive data remains protected and accessible only to those who need it. As a leading SaaS security provider, Reco AI offers comprehensive solutions to help you implement these practices effectively and safeguard your organization's critical assets.