A Wake-up Call from the National Cloud Security Centre
Tuesday 26th June 2018
We've said it a lot - SaaS is a great thing - access to innovative technology at a price that doesn't require a lengthy discussion about budget or sign-off, a global marketplace which allows highly-focussed best-of-breed apps to exist and the agility this brings to an organisation responding to business needs.
However, if you're going to use SaaS products and services then you need to SaaS safely. Not all SaaS apps are equal. Despite the great cloud applications out there, some are inappropriate for certain situations while others are downright malicious. For example: use of personal cloud sharing apps to share confidential corporate documents; pdf converters which can take data outside of a compliant geography; HR apps that store CVs in the cloud and others - which hide their right to use your data, intellectual property or documents in their terms and conditions which don't always get checked in the rush to achieve a goal.
So I'm very glad to see that the UK's National Cloud Security Centre (NCSC, part of GCHQ) has weighed in on this important topic, with a set of specific guidance for SaaS Cloud. NCSC has produced some really excellent material aimed at helping companies to choose, plan, configure and operate their Cloud infrastructure. If you're in any way involved in running workloads in the Cloud I highly recommend you read their Cloud Security Collection, especially the 14 Cloud Security Principles.
However last week NCSC issued some very specific guidance about SaaS for the first time - something that's long overdue, since for many small businesses. SaaS is Cloud - not everyone needs or wants to run workloads in public cloud, but it's impossible to avoid the use of SaaS apps hosted in public cloud.
The NCSC SaaS guidance sets out a general overview of SaaS security considerations and also provides a detailed assessment of 12 specific popular SaaS applications: Basecamp, Confluence, G Suite, Jira, MailChimp, Office 365, Slack, Smartsheet, Stride, Trello, Yammer, and Zendesk
For the listed SaaS applications, the individual assessments are very helpful, asking a lot of the right questions about SaaS - such as where and how data is stored, who can access it, and what capabilities does the SaaS provider give you, the consuming enterprise, to help you manage application security, risk and compliance.
The number of "unknowns" listed in the guidance just serves to highlight the scale of the problem facing security professionals when it comes to SaaS. The picture at the bottom of this article is an extract from the assessment of Basecamp, and it's clear that a huge amount of the detail is either not available or is based on statements made by the SaaS vendor.
There's a lot of trust involved in assessing and adopting any SaaS application, but at least with the larger well-known vendors such as the ones listed by NCSC, there is some information available including a lot of opinions and commentary from the community.
You can't manage what you don't know about
So here's a big question to consider - what about the other 15,000+ SaaS applications, many of which you won't have heard of (Shadow IT), and about which there's precious little-published information?
It's a mammoth task, and you'll need to approach it in a structured way, gathering good information and wrapping a governance framework around all the SaaS applications in use.
Our research and contact with customers indicates that companies may have up to 20-25 times more SaaS systems in play around the organisation than the IT department knew about - that's a startling number and shows the scale of the problem.
Five points to keep IT awake at night
- The budget being spent on SaaS systems is exploding and is probably invisible as IT spend as it is often small amounts that are budgeted for by a department, or an individual can expense
- Cloud applications are vulnerable and according to Gartner, by 2020 33% of successful attacks experienced by larger companies will be on their invisible SaaS IT resources
- Staff using such applications are not fully appraised of the compliance or security needs and typically don't involve the IT department or those who could advise them, so the organisation, if it doesn't have any cloud compliance governance, becomes increasingly vulnerable to serious problems
- There is an ever-expanding supply of SaaS or Cloud applications people can reach with ease to address their business requirement without engaging with compliance, security or other IT personnel so tools are needed now to contain and manage the issue
- Use of SaaS applications is generally underestimated - Cisco's recent Shadow IT report showed that CIO's estimated they had around 51 cloud services whereas the actual number was 730 - that's a large gap
Ampliphae's software gives you a head start on managing SaaS applications - starting with the discovery of SaaS applications in motion and helping you through the whole process of understanding, making decisions, and wrapping governance around the SaaS your people use.
We can help you to address these problems today, by identifying what cloud applications are actually in use, who is using them, likely costs and then help you affect change so that you can manage these applications in a way that is compliant and secure.
To get a feel of how Ampliphae can help we offer an interactive demonstration system so if you feel the need, and you should, please try it here or contact us and we'll help you work through these issues before it's a problem too big to tackle.
Example from NCSC website below.