Potential Risks and Threats

• Access risk

  • SaaS apps are always on that is why anyone can reach them on internet

  • Credential stuffing & password spraying are common attacks

• Misconfiguration risk

  • Too many administrators

  • Lack of visibility into SaaS security settings and changes

• Shadow SaaS

  • deployed application in the same cloud account as the main SaaS application

  • the deployed service was done without the security approval

Evaluation of SaaS Security (SANDPIT)

• S - Scalability and Resiliency

  • Provider's ability to scale and recover from failure

• A - Access Control

  • Who has access to the app?

  • Authentication and Authorization

• N - Network and Boundary Controls

  • North-South traffic

    • ingress and egress controls

    • control traffic in and out of the network

  • East-West traffic

    • segmentation

    • Understanding how data isolated or commingled

• D - Data Protection

  • Encryption

  • Managed certificates and keys

  • Use unique keys for each instance

• P - Privacy

  • The infrastructure should be compliant with any laws are important for your business

• I - Incident Response

  • When something is happened, the monitoring tools should be able to detect it and show to customers when and what happened

• T - Third-Party Attestation

  • Annual assessment and report of cloud service provider

  • Conducted by an external auditor (e.g. SOC2)

Links

• LinkedIn Learning - Securing SaaS