How To Perform a SaaS Applica7on Inventory in 5Simple Steps A Guide for Informa7on Security Professionals
WHY SHOULD I READ THIS? This book will help you, the person in the organiza=on who cares deeply about security and compliance posture of the company, to regain some sanity amidst all of the SaaS chaos. If you follow the steps laid out in this e- book, you will gain the following: ü Catalog: Create a catalog of all of your SaaS apps ü Score: Analyze and assign a risk score to each app ü Mi=gate: Create an ac7on plan to address exposures ü Framework: Establish a repeatable framework for the future
WHO BOUGHT THAT APP!? Increasingly, shadow IT groups are procuring cloud applica7on services without regard to the approved IT procurement processes. This creates a serious concern for the Security Officers of the world: How many SaaS apps do you currently own? Who is managing them? What are your risks?? In a recent survey, 71% of the respondents agree to using apps that were not blessed by IT. The ugly truth is, IT is in the dark regarding their true SaaS footprint.
THE IMPACT OF SHADOW IT (+ INFOSEC) According to a survey of 200 IT Professionals 73% had to grant temporary access to cloud apps ci7ng complexi7es around Iden7ty & Access Management 43% admiwed to managing passwords in spreadsheets or s7cky notes, while 34% admiwed sharing them with colleagues 20% of app users admiwed to a breach by ex- employees Reference: h<p://bit.ly/110grku
A HYBRID APPROACH In our experience, for best results, an investment in 2 areas will yield the best results for this exercise: ü Time to interview the relevant par7es within your company to iden7fy what they believe is being used ü Technology to detect what SaaS apps have actually been used Interviews Technology
STEP 1 IDENTIFY YOUR STAKEHOLDERS Buyers Managers Admins For the sake of this exercise, we will need the buy- in of the Buyer, Manager and Administrator of the applica7ons
Buyer Buyers of SaaS services come from IT and non- IT departments, and involve leaders from HR, marke7ng, sales, finance, etc. Manager The managers ozen 7mes have rela7onships that will make them privy to what SaaS applica7ons are being used throughout the organiza7on Admin The administrator may be 1 of 2 types: the help desk admin who manages user access, and the technical admin who configures and integrates the app.
DON T LIMIT THIS TO I.T. Marke7ng Engineering IT Opera7ons Sales Finance Other According to Gartner, by 2017, CMOs will spend more on IT than CIOs IT is increasingly not the procurer of SaaS applica7ons. Therefore, expanding your stakeholder community beyond the realm of IT is cri7cal for the success of this exercise. Engage all the people in your organiza7on that have procured SaaS applica7ons, regardless of their department.
STEP 2 INTERVIEW STAKEHOLDERS Different stakeholders will be able to answer various types of ques7ons. Here s a breakdown of the rela7onship between the type of stakeholder and the types of ques7ons they may be able to answer. Star7ng with the Manager is a great first step in fact managers may help you iden7fy other key stakeholders.
Manager How many SaaS applica7ons does your department use? Does IT have a copy of the contract? The SLAs? Who bought each app? (This may lead you to Buyer stakeholders) Who is responsible for gran7ng users access to the app? (This may lead you to Admin stakeholders) What was the business reason for procuring each applica7on? Are any compliance func7ons fulfilled by the applica7on? Download our sample spreadsheet to track your Stakeholder Interviews here
Admin How many users are in the app? What kind of users? FTEs? Contractors? Are there processes in place to request, approve, grant, remove and update access? Does the SaaS applica7on store any PII (Personally Iden7fiable Informa7on) data? Are there any integra7ons points between the app and your infrastructure? (For example, for authen7ca7on, authoriza7on, iden7ty management, or applica7on data synchroniza7on) Are there detec7ve controls in place to rou7nely review user access to the applica7on? Does the applica7on share audit logs? What kind of encryp7on is supported by the app in transit? At rest? For a more comprehensive list of ques7ons, download the Saas Security Checklist here
STEP 3 INSPECT YOUR FIREWALL LOGS This step requires the use of technology that can inspect your proxy and firewall logs and compare them against a database of SaaS applica7ons. This should be able to give you an analysis of your SaaS risk exposure based on what s actually been used (versus what your stakeholders believe is being used). Identropy s SaaS Security Advisory Workshop uses this technology to determine your true SaaS footprint. Firewall and Proxy Logs Firewall Log Analysis Tool Risk Analysis Report
STEP 4 GATHER AND ANALYZE THE DATA App Usage Service Risk Data Risk Device Risk Business Risk Total Users Once you've gathered all the requisite data (from both the interviews and the technology), it's 7me to start analyzing the data
Mul=- dimensional Risk Analysis The goal of the analysis is to provide a risk score for each applica7on. The risk score should be a composite of the inherent risk of the SaaS app in addi7on to the risk associated with the way your organiza7on is actually using it. Inherent SaaS Risk: This is the risk associated with the SaaS apps own internal security mechanisms SaaS Usage Risk: This is the risk associated with how your organiza7on is u7lizing the SaaS app and the sensi7vity of the data you ve uploaded
STEP 5 CREATE A REMEDIATION STRATEGY The last step is to order the applica7on in order of risk, and to create a Remedia7on Strategy for each high risk item. Once again, a hybrid approach of technology and process is in order Process Technology
Your Own Cloud Security Technology Stack The emergence of SaaS apps has created a new breed of security technologies. A thorough inves7ga7on of the risks your organiza7on faces versus the technologies that exist (some of which you may already own) can help create your own cloud security technology stack. Identropy s SaaS Advisory Program can help you iden7fy which technologies may make sense for your organiza7on. Click here for more informa7on, click here.
www.identropy.com