<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> Here's How CISOs Secure Data in SaaS Apps

What a SaaS User Wants, What a CISO Needs


    See Virtru In Action

    { content.featured_image.alt }}

    SaaS applications like Zendesk, Salesforce, Workday, Slack, and more have been at the forefront of digital transformation. Organizations collect, store, and analyze sensitive business and customer data within these platforms, so adopting them requires a certain level of trust—trust in the application to protect your data, secure its own network, and safeguard its perimeter, all on your behalf. 

    It goes without saying that trust in SaaS tools is dwindling because of heightened cyber threats and increasing regulations. Even vulnerabilities found in platform-native security tools like Microsoft 365 OME, while they have not yet been breached, are giving pause to organizations large and small that have a lot to lose in the event of an attack. 

    That’s where we find our issue: We need these applications to efficiently do business, but at what cost? 

    Is the Data Secure in SaaS Apps?

    The expert consensus is: It depends. It depends on the app and its ability to withstand, resist, and mitigate vulnerabilities.

    Data collected, exchanged, and traveling through SaaS applications has become an even bigger target for cyber threats. Data leakage, access controls, and APIs are major points of vulnerability for businesses that use SaaS applications—particularly “connected” SaaS apps. 

    The cloud environment presents a challenge for SaaS applications with integrations or embedded third-party applications. The absence of a traditional firewall makes it much harder for infosec teams to detect threats.

    But, we can’t just opt out of SaaS apps. Teams need them to get the job done, and it’s no surprise that cloud-based software continues to dominate.  

    According to Gartner, “SaaS remains the largest public cloud services market segment, forecasted to reach $176.6 billion in end-user spending in 2022. Gartner expects steady velocity within this segment as enterprises take multiple routes to market with SaaS.”

    So, cloud-based SaaS apps will continue to be part of the fabric of the modern workplace. What can be done about the data inside them?

    What Do SaaS Users Want?

    With the risk of losing sensitive data, tarnishing a brand, hemorrhaging money, prosecution, and even jail time looming over their heads, business and security leaders are understandably on edge, and CISOs might be especially risk averse. 

    Finding a solution to the data conundrum requires applying protection that maintains the integrity of software and the workflows inside of them. Migrating off of applications like Salesforce or operating systems like Microsoft just isn’t an option for many companies, especially at the enterprise level. 

    For SaaS users, the next best thing is finding a way to protect the data itself as it lives and moves inside and outside the application. If there were one tool that could do that for SaaS apps, it would be a big win for everyone.  

    How to Manage Unstructured Data in SaaS Applications

    Many infosec professionals would agree that SaaS sprawl has created a major challenge for businesses worldwide. According to Gary Brickhouse, CSO at GuidePoint Security, “With nothing more than a credit card, a department can implement a new application, add sensitive company data or use weak authentication—all of which bypass the established controls in your environment.”

    Rapid adoption, integration, and connectivity of SaaS applications continue to poke holes into the security of apps needed to run a business. And it’s extremely difficult for CISOs to keep track of what unstructured data is going where. The modern SaaS administrator is in search of data protection that gives them complete oversight of where the data is and who has access to it.

    Take Complete Control Over Data Inside and Outside of the Organization

    It’s one thing to be aware of where your data is and who has eyes on it, but it’s another thing to have complete control over those factors over the entire lifecycle of data. The latter is far more powerful.

    SaaS admins and users want the reassurance that, when data enters and exists SaaS applications, it’s not completely up to that application to maintain the data's security—essentially, if admins can have greater control, visibility, and autonomy over their own organization's data, they want it. 

    In customer service or IT applications like Zendesk for example, it’s vital for employees to be able to exchange sensitive data with customers, like account details. But once files leave the organization's network, they’re gone forever, with no ability to retrieve them. And once sensitive information enters the Zendesk system, for example, it's subject to the security parameters that Zendesk has put in place. 

    What if SaaS app admins could leverage a third-party tool that natively integrates into apps like Zendesk to protect data as it leaves and enters the application? It would be a game-changer. With the ability to revoke access to data at any time, organizations can greatly reduce the risk of data leakage or breach. 

    Protect Multiple Apps with Interoperable Security

    Data shouldn’t be locked down, because the more it's shared with the right people, the more it grows in value: More knowledge is gained. More deliberate and informed business decisions can be made. 

    That presents a direct dilemma for organizations that want to securely operate a business in the year 2022. In order to reduce risk, organizations may hesitate to introduce new applications. 

    But when your security is focused on the data object itself, it opens up a world of possibilities when it comes to app usage, particularly in the use of custom or niche applications. SaaS admins and users want the ultimate control of their data and the flexibility to allow it to live and travel through necessary software. 

    When you think about securing the data within the vast number of apps that make up an organization's tech stack, things can get incredibly complicated, very quickly. It's important to consider a solution that can simplify data protection across multiple apps. 

    Add a Layer of Third-Party Encryption

    Though data encryption is increasingly becoming a regulatory requirement around the world, businesses benefit from this security tactic–especially when done at the data object level. Instead of putting all focus on encrypting the network, endpoints, apps, or devices first, encrypting the data itself is one thing that businesses can control. And when they do, they can comfortably use SaaS applications where a breach wouldn’t be in their control. 

    By using data-focused encryption at the object level, administered by a third party, businesses can trust that if a breach to their SaaS application were to occur, the most vital asset–the data–is protected by encryption and that they have sole ownership over the keys. 

    Manage Your Own Encryption Keys

    In a study conducted by McKinsey & Company in 2019, enterprise SaaS users expressed that they don’t trust SaaS companies to host and manage security keys. Their preference is to maintain ownership of the keys either on-prem or in the cloud. 

    The study further elaborates that “Companies want a degree of sophistication in key management so that they can grant access to data for a certain period of time or revoke access quickly. This preference again emphasizes that most respondents want to exercise full control over their sensitive information.”

    Deploy Security Without File Sharing Limits 

    For companies with a need to receive and share files securely within a SaaS application, whether it’s for HR purposes in Workday, or chat in Slack, size of data shouldn’t stop the ability to share it securely. From a customer-facing perspective, businesses that have a customer service unit should have the ability to securely receive files within their SaaS applications. File limits are yet another reason why insecure workarounds or unsafe app integrations are so prevalent among SaaS users. They want security, but not if it creates roadblocks to getting the job done (like imposing file limits). 

    SaaS Security That Doesn’t Disrupt Workflows

    When CISOs attempt to lock down the environment within an application, it can severely limit the full scope of features within that app or complicate the workflow for those handling data. A CISO can check all the right boxes for securing an application, but if it’s not easy to use, daily users will find workarounds, the pace of work will slow dramatically, or the business purpose of the application will not be fully realized. 

    One of the most important wishes of a SaaS user is to have a data security tool that’s easy to use within SaaS applications. One that takes minimal effort, or perhaps isn’t even detectable in a daily routine. 

    It’s Time to Adopt a Data-Centric Approach to SaaS Security 

    There is a tool that checks all of the boxes on a SaaS user’s wishlist—and it’s Virtru. See how it can be done by booking a demo with us today

    Shelby Imes

    Shelby Imes

    Shelby is the Manager of Content Strategy at Virtru with a specialty in SEO, social media, and digital campaigns. She has produced content for major players in healthcare, home services, broadcast media, and now data security.

    View more posts by Shelby Imes

    See Virtru In Action