Software as a Service (SaaS) is today a mainstream model for software deployment and usage.
Many organizations rely heavily on SaaS platforms, and they are increasingly used for mission critical applications. This makes SaaS security a critical part of cybersecurity efforts.
However, SaaS applications are, by definition, managed by a third-party and outside the organization’s control. How can organizations regulate access and ensure that applications and data are safe from attacks? Zero trust provides a solution. It is a new security paradigm that denies access to everything by default and dynamically verifies every connection according to the current security context, enforcing security policies regardless of the location of users or the application they are accessing.
What is Software as a Service (SaaS)?
SaaS is a software distribution model that allows cloud providers to host applications and make them available to end users over the Internet.
Typically, software vendors contract with third-party cloud providers to host their applications. In other cases, cloud providers like Microsoft or Amazon Web Services (AWS) directly provide SaaS solutions. A third possible model is a software vendor that sets up their own cloud infrastructure to host an application.
SaaS works through a cloud delivery model. The cloud provider (who may or may not be the application developer) uses its servers, databases, network and compute resources to host the application and related data. The application can be accessed from any device connected to the network. SaaS applications are typically accessed through a web browser.
As a result, companies using SaaS applications do not need to set up and maintain software. Users typically pay a subscription fee to access the software. Organizations can use application programming interfaces (APIs) to integrate SaaS applications with other software.
What is Zero Trust?
Traditional network protection is dependent on a secure perimeter, where an organization trusts everything within the perimeter and distrusts anything outside the perimeter. A zero trust network assesses all resources and actions in real-time to minimize the risk of accidental access to business resources and sensitive data.
Zero trust security is an approach where microservices or application components are isolated. Also, no microservice or component trusts any other. With this approach, organizations design the security posture to consider input for all sources as possibly malicious.
It ranges from not trusting the fundamental network fabric to input and output authentication at each microservice. You can also create a defense-in-depth approach to secure against microservices, individual components, or identities compromise.
How Does Zero Trust Help Secure the Cloud?
Given that today, applications, networks, and data are hosted and stored via the cloud, securing it is a must. A zero trust security approach offers a way to address modern IT infrastructure needs.
The zero trust security model verifies and authenticates every user via a combination of authentication types (multi-factor authentication). The approach facilitates limiting and monitoring network traffic and protecting credentials via layered and secure authentication. Devices remain locked down, and only the appropriate users can access those devices.
IP allow-listing and geofencing by location can also help more tightly manage network access. Zero trust security in cloud-based architecture is more flexible and cost-effective. Organizations of all sizes can adopt a zero trust approach to secure the cloud without maintaining on-premise hardware.
SSPM and Zero Trust
SaaS Security Posture Management (SSPM) is a new security category that can automatically evaluate the security posture of a SaaS application, identify gaps, and help administrators apply secure configurations. The main goal of SSPM is to prevent data leakage and unauthorized access to SaaS applications.
SaaS applications can have complex configurations, and default settings are often not secure. An organization cannot rely on its users to always remember to apply secure configurations. Even if it is possible to apply configurations centrally, administrators find it difficult to learn the user interface of each SaaS application and constantly review configurations. This can be especially complex in a large enterprise with hundreds of SaaS applications.
SSPM tools perform continuous monitoring, and provide visibility over insecure configurations across all SaaS applications used by an organization. In addition, they can provide recommendations for improving security, and in some cases, can automatically remediate insecure configurations.
How does SSPM promote zero trust?
SSPM solutions are important for zero trust because they can enforce the least privilege principle. It is very common for applications to grant excessive privileges, allowing users access to data or operations they do not need for their day-to-day role.
This is an important dimension of access control—after a user is already authenticated, what is the scope of the application and data that they should be allowed to access at any given time. Effective zero trust access requires this level of granularity.
How Zero Trust Access Control Improves SaaS Security
In a zero trust world, access policies are typically defined by asking who is the user trying to access a system (authentication), and what access and privileges they should receive (authorization).
A practical way to set up this identity-centric security measure is to use single sign on (SSO). SSO in this context describes how to maintain identity across multiple systems. For example, a user can have one user account and use it to access all systems belonging to an organization, both on-premises and in the cloud, with a consistent authorization policy.
Using SSO to enforce zero trust
Most SaaS providers now support SSO integration, allowing organizations to centralize identity management instead of creating a separate store of identity information. When choosing a SaaS product, make sure it supports SSO in a way that makes sense for your identity management system. Some SaaS vendors charge for SSO integration or require expensive bundle upgrades to enable certain features.
For an identity management system to work, it must address the dynamic nature of the enterprise. People come and go, and employee access requirements change as roles change. One way to solve this problem is to connect your identity management system to an HR system that serves as a trusted source of employee roles and responsibilities. When the two systems are connected, HR system personnel changes are automatically propagated to the SSO provider and authorization decisions are automatically applied to the integrated SaaS application.
Granting access based on security context
Another important element of a zero trust architecture is the decision to grant access based on the state of a connected endpoint. The security team must consider not only the identity, but also the broader security context, such as the health of the device.
In a zero trust environment, each connection request is evaluated. Access control mechanisms look at the type of data an individual accesses or the type of action they want to take, and compare it to the security policy. Depending on the context, such as the user’s device, current location, time of day, and authorization policies, the connection might be denied or accepted.
One way to achieve this is to integrate your SSO provider with your endpoint IT or secure proxy. When a user attempts to log into the application, the provider authenticates the user and checks the level of privileges granted to the user. Then, it checks with the endpoint agent that the health of the device is acceptable before granting access.
In this article, I explained the basics of zero trust and how it can help promote SaaS security:
- Zero trust can improve cloud security by providing a common platform for access and authorization of remote users.
- SaaS Security Posture Management (SSPM) systems can help ensure granular access control within applications, ensuring users are not assigned excessive privileges.
- Zero trust access control, in particular SSO integration, can ensure that the same authentication and authorization policies are enforced across the hybrid environment.
I hope this will be useful as you evaluate the use of zero trust in your cloud applications.
About the Author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.