What Do I Need to Know for SaaS Security?

Question: What do I need to know about the future of software-as-a-service (SaaS) security?

Brendan O’Connor, CEO and Co-Founder, AppOmni: First, you need a translator. Every major SaaS platform implements security differently, and there is very little consistency across various applications. Teams will need to rely on automated solutions that stay current with the updates and nuances of each SaaS application, that can alert and educate in-house security practitioners about potential issues and suggest ways to solve them. It's difficult for security teams to identify risk and offer meaningful guidance to the business when they don't speak the language of each individual SaaS platform.

Second, security will continue to be a multistakeholder model. Security, business, IT, and privacy/risk teams all have a stake in cloud security. Security teams must embrace automation to ensure consistent visibility. More importantly, automation can help IT and business delivery teams shift left into finding and fixing security issues as part of development and configuration — not after security vulnerabilities have already made their way to production.

Third, SaaS security needs to be somebody's job. SaaS applications are frequently purchased and managed by individual business units, often without security teams being involved. Today SaaS security doesn't have a clearly defined owner in most organizations — it could be IT or security. If a SaaS application houses sensitive and/or business-critical data, AppSec teams need to step up to secure that application and the related data access.