[09-12-24]--Who Is Responsible for Securing SaaS Tools?

Author

Aaron
September 12, 2024

Super Cyber Fridays!
Join us TOMORROW, Friday [09-13-24], for "Hacking Leadership Skills"

Hacking Leadership Skills

Join us Friday, September 13, 2024, for ”Hacking Leadership Skills: An hour of critical thinking about building the skills you need to succeed.”

It all begins at 1 PM ET/10 AM PT on Friday, September 13, 2024 with guests Alexandra Landegger, executive director and CISO, Collins Aerospace and Jodie Lash, cybersecurity senior director, FanDuel. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Defense in Depth
Who Is Responsible for Securing SaaS Tools?

Who Is Responsible for Securing SaaS Tools?

Haven’t we already discussed at great length the cloud shared security model? We've had the cloud for a few decades. Why can't we just extend that shared responsibility model for that to SaaS? 

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest, Russell Spitler, CEO and co-founder, Nudge Security. 

Defining responsibilities

Securing SaaS data can be frustrating for security teams when SaaS applications themselves don't even make it easy or even possible in some cases. "A new SaaS shared responsibility model could help assign clearer ownership to relevant teams across managing SaaS identities, data, SaaS-to-SaaS, etc. Right now with SaaS, IT has to do security work without the security knowledge/context, and security has to do IT work without a clear understanding of the potential impact of misconfigurations," said Adam Gavish of DoControl. The only way organizations can make sense of this is by clearly defining who owns what with SaaS. Chris Jones of Promethean IT advocates for defining these responsibilities, saying, "By establishing a standardized model, we can help nudge SaaS providers to integrate critical security features and management tools, ensuring a more secure and transparent relationship between customers and their entire SaaS security ecosystem."

Understanding the problem

Gaps in SaaS security often come when employees can’t use the tools they need to get their job done. “If IT isn’t attentive to users and their requirements, employees will naturally find other ways to complete their tasks. Essentially, this happens when IT isn’t effectively listening to and addressing user needs," said Michael Giraldo of TheFence. Of course for Simon Goldsmith of OVO, this isn’t a shared responsibility model, this is just a new spin on an old problem, saying, "I view this as just a different take on the fundamental question of how we get our people and third parties to take accountability for security. So no we don’t need a new abstracted model, we need new contracts and incentives."

A different role for security

A new SaaS shared responsibility model requires security teams to change how they view their mission. SaaS fundamentally means a lack of ownership of IT. Organizations need to fully embrace the implications. "Enterprises need to stop ‘managing’ SaaS and start ‘governing’ SaaS. It is wrong to assume we can secure the modern workforce with its two-year-old innovative GenAI solutions, using 15-year-old firewalls and CASBs. The shared responsibility model should change to allow the business to own the risk, and the security team to monitor and support securing those apps, instead of doing it themselves,” said Lior Yaari of Grip Security. 

Focus on the data

The problem of SaaS security comes from an either/or mentality. Enterprises cannot assume that all the risks, controls, and security are the responsibility of the SaaS providers. Organizations need to prioritize resources on what matters most. “The number one shared responsibility is to protect the customer data. Companies should implement strong IAM mechanisms to prevent phishing or exfiltration of data from their accounts. They also need to implement their own data backup strategy. It is critical as there are plenty of examples where SaaS vendors had lost customers' data due to internal errors," said Mauricio Ortiz of Merck.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our other witting contributor, Clea Ostendorf of Wolfpack Security.

Thanks to our podcast sponsor, Nudge Security

Nudge Security

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

CSH Week In Review Patrick Heim, co-founder and partner, SYN Ventures

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Patrick Heim, co-founder and partner, SYN Ventures.

Thanks to our Cyber Security Headlines sponsor, Vanta

Vanta

LIVE!
Join us at FAIRCON24 - 10-02-24 for CISO Series Game Show

Join us at FAIRCON24 - 10-02-24 for CISO Series Game Show

Live in Washington DC or planning to attend FAIRCON24?

Love cybersecurity and playing cybersecurity games?

Then join us for a CISO Series Game Show, happening as part of FAIRCON24. Here's what you need to know.

WHAT: CISO Series Game Show LIVE at FAIRCON24

WHERE: The Fairmont Hotel, 2401 M Street NW Washington, D.C. 20037 MAP

WHEN: Wednesday, October 2, 2024. The event runs October 1st and 2nd. Our game show is just before lunch at 12:00pm October 2, 2024.

CONTESTANTS: David Spark of CISO Series will host, and we'll have Anne Marie Zettlemoyer, fellow, National Security Institute competing against Michael Levin, former deputy CISO, 3M.

Get your tickets here. Use our discount code CISOSERIESFC24 to save 30%!

And whether you can come to FAIRCON24 or not, please join our CISO Series meetup that will be happening on the eve of FAIRCON24, on 9-30-24, also at the Fairmont Hotel. This is a free event, but you do have to register.

Thanks to our sponsor, Safe Security

Safe Security

Cyber chatter from around the web...
Jump in on these conversations

"A man has been charged after allegedly establishing evil twin fake WiFi access points at several airports and on domestic flights." (More here)

"Challenges in Tabletop exercises?" (More here)

"Cybersecurity Insurance specialty.. is there such a thing?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

  • [09-13-24] Hacking Leadership Skills

  • [09-27-24] Hacking Alerts 

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.