News in the Channel - issue #11

SaaS SECURITY

CONTINUED

access sensitive data l Malware: SaaS applications can be targeted by malicious software that can attack multiple accounts in the SaaS environment, leading to data loss and system corruption. Meanwhile, ransomware can encrypt data and block access to the computer system until a payment is made l Third-party integrations: Many SaaS applications like Spendflo and Nightfall DLP allow for third-party service integration. However, if these integrations are not properly secured, they can serve as entry points for cybercriminals, which risks the security of the SaaS. Keeping solutions secure But while there are threats, there are also plenty of solutions for keeping SaaS solutions secure. Becky notes that multi-factor authentication (MFA) can be useful. “The main advantage of MFA is its ability to optimise your organisation’s security system,” she says. “Instead of a conventional username and password, MFA requires additional verification factors. This serves to significantly lower the likelihood of a cybersecurity attack. MFA factors can range from electronic keys and fobs to even your own fingerprint.” Likewise, data encryption, which encodes an organisation’s important and confidential information, meaning it can only be accessed by a user with the correct logins, is important, whether it is ‘encryption at rest’ where encrypted data is kept or stored to keep information safe even when it is not actively being used or ‘encryption in transit’ where encrypted data is being transferred between two nodes.

Access control systems, which work by identifying users by identifying different types of login credentials like usernames, passwords, PIN codes and biometric scans, are another common security solution. “When combined with MFA, SaaS requires multiple authentication methods to verify a user’s identity,” Becky says. “Discretionary access control allows owners of the data to set the policies for who is allowed access, while mandatory access control grants people access through an intensive information clearance.” Markus Rex, managing director, SYNAXON Managed Services, adds that another approach that works well is ‘bring your own encryption key’. “By enabling customers to use their own encryption software and manage their own keys, this significantly enhances protection, and it’s something we’d recommend partners should look for in a SaaS offering,” he says. Alex adds that treating all administrative access to SaaS applications, such as admin accounts used to set up single sign- on integrations, as privileged can help. “Credentials are often shared across teams and even third-party contractors and are rarely changed, making them easy targets for external attackers and malicious insiders,” he says. “Specifically, privileged credentials should be secured in a central vault, automatically rotated and all activity must be recorded and available for audit. Human, machine and application users with access to sensitive information for SaaS applications should also be considered privileged.” Richard Foulkes, UK chief solutions consultant at Exclusive UK, agrees that it is important to have a good identity policy, making sure only the right people have

Credentials are often shared across teams and even third- party contractors and are rarely changed, “

making them easy targets for external attackers and malicious insiders.

”

Contributors

Alex Mann

Becky Stables

Markus Rex

Richard Foulkes

Neil Langridge

cyberark.com

catalyst-bi.co.uk

synaxon-services.com

exclusive-networks.com

e92plus.com

362