A CISOs guide: Where does SaaS identity governance fit into the cloud security paradigm?

I. Introduction?

As discussed in my previous blog post, cloud security consists of a growing set of processes and practices supported by many new capabilities, one of which is CIEM. CIEM platforms focus on reducing risk and implementing cloud access controls for hybrid and multi-cloud IaaS environments. This begs the question: "Where does SaaS identity governance fit into the cloud security paradigm?"

II. Problem Definition

SaaS adoption and usage has been growing rapidly, as evidenced by the following set of statistics. Given this information, it is clear that both SaaS,?and?public cloud (IaaS and PaaS), are critical components of corporate environments now and in the future.?SaaS applications like ADP (Payroll), Workday (HRIS), Salesforce (CRM), Netsuite (Financials), etc are prevalent in mid to large enterprises without which companies would lose their ability to execute critical business processes at scale. Enterprises often have thousands of users and hundreds of SaaS apps, and therefore ensuring each entry point is understood and governed appropriately based on the complexities of roles, groups, accounts, users, and associated permissions is challenging. Further, security teams must monitor all of the above to ensure user access meets their organization's security guidelines. As identities become the new perimeter in our cloud-first world, ensuring that the IT and security teams manage and secure this domain comprehensively is vital to a company's overall cloud security maturity.

III. The next frontier: SaaS identity governance

a. SaaS Inventory Management

Inventory Management is a foundational building block to ensure the completeness of your identity and access Governance practices. A centralized approach to SaaS inventory management allows IT admins to monitor users, applications, databases, and data traffic flows across their portfolio of applications. In addition, organizations require capabilities that centralize control, view comprehensive information, and monitor users' identities and related behavior. While having a 360-degree view of identity security at scale is challenging to implement and maintain, a centralized system will provide the foundational elements of resource, access, and user behavior visibility.

b. SaaS RBAC (or ABAC or PBAC)

Role-based, attribute-based, or policy-based access control restricts an employee's permissions to access based on either their role or a set of attributes/policies within the business constructs. Therefore, it only allows users to access what they require to perform their job duties. This is typically predicated on their job title and place in the organizational hierarchy. For example, an HR analyst of a company should not have any access to the SaaS finance application's charter of accounts.? Additionally, access controls also facilitate downstream business processes. For example, if a special project demands the assignment of temporary permissions, IT admins should make sure that those privileges expire within a set time limit. Further, an example policy statement could require that administrator privilege usage must utilize multi-factor authentication (MFA). This is especially challenging in a SaaS-heavy environment where each application has its own interpretation of access control policy implementation (permission sets vs. groups vs. profiles anyone?).

c. Least Privileged Access

The principle of least privilege is an important access management practice that limits the users' privileges in the IT environment by providing only the access necessary to perform their job duties. One of the benefits of applying the principle of least privilege is the reduced probability and impact of a malicious entity gaining a foothold in the organization. For example, if a system is infected by malware and is part of an organization that implements the principle of least privilege, it should theoretically prevent one infected machine with malware to utilize permissions and spread to other machines. This means that the opportunity for viruses, worms, or rootkits being executed at scale is reduced because neither system nor user accounts have the admin rights to enable their installation thereby limiting the exposure of sensitive data loss from your SaaS application.?

d. Automate Onboarding and Offboarding?

Aspects of employee onboarding and offboarding come under the identity governance umbrella. When onboarding a new contractor, vendor partner, or employee, IT teams need to provide the privileges and permissions that an individual should be granted based on their unique roles. This can be a time-consuming and tedious process for large organizations due to the number of employees and SaaS resources (often quite nebulous) that need to be provisioned, leading to a high margin of error. By automating these activities, IT departments can save time and money while reducing the opportunity for incorrect or excessive permissions to be granted. In addition, it increases productivity by ensuring new employees have the access they need from day 1. It also reduces risks by quickly and comprehensively deprovisioning employees' access across your SaaS environments when they leave the company or move to another department.

e. Orphaned Account Detection

There is constant change occurring in every organization, particularly regarding the workforce. When an employee moves to a different department or leaves the organization, the user access to that individual's account needs to be adjusted or removed from the network. Failure to deprovision or remove these accounts can lead to the accumulation of orphaned accounts across environments. Such accounts can be compromised when hackers steal credentials and take on the identities of prior users. This leads to security breaches and attacks that can go undetected for long periods. This issue is further exacerbated given the manual and often painful efforts required to identify ownership, behavior, and exposure of orphaned accounts across hundreds of SaaS applications.??

IV. What does the future hold?

The SaaS IGA space is an emerging focus area, given that much of our attention has been paid to public cloud identity governance in the past. Legacy IGA vendors that have historically built tools for on-prem environments are innovating to incorporate SaaS IGA capabilities, while new and exciting startups are working to solve this gap from their own distinct vantage points (Access Request Management, Segregation of Duties implementation, etc.). For its part, Gartner recently described a new identity discipline, Identity Threat Detection and Response (ITDR), that incorporates mechanisms to investigate suspicious access activities while responding to attacks on the integrity of the identity infrastructure. ITDR includes SaaS IAM governance methodologies and best practices that partially overlap with SaaS Security Posture Management solutions (SSPM). This new discipline breaks down the problem into the following solution sets:

• Identifying who is accessing what and when via what groups, policies, and roles
• Continuous and automated discovery and risk analysis of permissions
• Forensics related to user actions with a focus on privileged users
• Role right-sizing with real-time revoking of unnecessary or unwanted access

V. Conclusion

Whether you are a CISO, IT leader, or on the GRC team, SaaS identity and access governance should be essential to your future forward strategy. The benefits of this include increased IT operational efficiency, reduced security risk exposure, and a streamlined employee onboarding / offboarding experience. It will be interesting to see how the various cloud security capabilities like CIEM, ITDR, and PAM converge as security requirements evolve and corporate environments mature. Exciting times indeed!