Comment (0)

Cloud productivity apps like GSuite and O365 are now standard across organizations. This adoption has led to the demise of a “secure perimeter." It is not uncommon to see users reply to email or comment on a document while on the road and on their personal phone. This is because these apps are always available from any location and any device. Adoption of cloud apps leads to increased productivity.

But they also pose problems for older ways of doing security. In the past, IT security was able to put up firewalls, segment networks, and prevent access to hosted apps from outside of approved networks. They are still able to extend these networks via VPN. However, using a VPN is an inconvenience and adoption isn’t exactly stellar among users.

Zero-Trust Security: Modern Security for Modern Productivity

Zero-trust security architectures are being adopted as a way to secure both users and apps. Zero-trust security approaches have traditionally focused around user identity. These might include Single Sign-On (SSO) through standards and/or multi-factor authentication (MFA). There are many compelling products that provide SSO and MFA for organizations of all sizes. Google’s BeyondCorp initiative has pioneered the concept of Access Proxy, but its adoption is still in early stages.

I propose that you also need to pair your identity-based, zero-trust security architecture with the intelligence you can gain from SaaS apps themselves. The most effective way to do this is via APIs. Here are three examples:

1. Where is the user accessing the SaaS app from?

Knowing locations, devices, ISPs, and time of access of a user logging into a SaaS application can offer valuable insights into knowing if this is expected behavior or if the user account is compromised, as in an account takeover. An easy way to visualize all user access across the globe will go a long way in zooming into those users whose activity might be a cause for suspicion.

2. Company content sharing in SaaS apps

Your company documents now live in the cloud and are accessible from anywhere in the world by authorized users…and hackers with access to your compromised accounts. There is no firewall or proxy you can deploy that will assure you that your data is secure from misuse. The best way to understand the use of any document is by seeing who has been accessing the document, who it has been shared with, where it was downloaded from, who modified it, etc.

3. Phishing emails or compromised emails?

The old way of hacking is to send phishing emails that look like they came from your employees. The new way of hacking is to send emails that indeed come from your employees. They do this by gaining access to your employee’s inbox, either through an OAuth grant issued for a “useful” app like a game or a restaurant tip calculator.

Traditional anti-phishing defenses are no match for these targeted attacks that use one of your employee accounts. The user doing these actions are “trusted” by your traditional security controls. Requiring MFA can stop some of these attacks, but not all.

What you need is visibility into every third-party app that has access to your employee accounts. This information is available from SaaS vendors through APIs. Pair it with user access patterns, and you can often form a good picture of suspicious attacks happening against your organization.

These are some examples of how an API-based approach to SaaS security can complement and strengthen your zero-trust security architecture. There is no silver bullet when it comes to cloud security. You need an approach that leverages defense in depth.

The faster your IT security can get away from an over-reliance on firewalls, proxies, and on-prem LDAP authentication, the faster they can get prepared to face emerging threats. Cloud applications that are always on, and are available from every device and every location, are a huge boon to organizations. But, they also require IT security to evolve and adopt fresh ways of addressing these threats.

Comment (0)