The Future of Software is SaaS…So Build Your Security Foundation Now

January 28, 2021
by Paul Roberts

In August 2011, Marc Andreessen published a Wall Street Journal editorial that has proved prophetic: Software is eating the world. His point was that all the underlying technology was in place for software to transform, well, almost everything. From photography and entertainment, to finance and film special effects — our world and our experiences are increasingly powered by software.

Enterprise IT and business processes are no exception. What this software-based transformation has resulted in, for businesses in all verticals, is both the widespread use of software-as-a-service (SaaS) as well as in-house SaaS application development. Increasingly, development teams build SaaS for internal or external use, while business teams like sales and marketing adopt third-party SaaS for productivity gains and business agility, 

According to an IDG survey from the summer of 2020, IT professionals claim that 24% of all applications in use are already SaaS, with 9% of IT professionals describing their IT environment as “all cloud” and 29% as “mostly cloud”. Respondents believed that by the end of 2021, 36% of all applications in use would be SaaS, with 16% of respondents expecting to have an “all cloud” IT environment and 43% a “mostly cloud” environment.

Zilla is a good example of the future of business software. We use about 25 SaaS applications and develop our own commercial SaaS offering within the AWS cloud. Like most young technology companies, we never even considered using on-premises applications. But the appeal of SaaS isn’t limited to newer, smaller companies — the largest companies in the world are  also moving to SaaS, because the model makes it simple, fast and inexpensive to transform business operations with software. 

Cloud applications sprawl, security and compliance

As the survey above demonstrates, SaaS is just getting started. We’re only in the first or second inning of SaaS adoption. As business teams grow their usage, integrated SaaS “stacks” are emerging for various business functions, such as a marketing stack or a finance stack. Most SaaS vendors provide APIs to enable intra-stack and cross-stack information sharing through integrations with other applications. The customer relationship management (CRM) system needs to share customer information with the marketing platform to enable automated marketing, and both email and calendar systems need to integrate with video communications platforms to make scheduling and notification simple. 

And while SaaS is definitely a boon to businesses, the growing sprawl of applications raises important questions around security and compliance risks. Most SaaS applications used by an organization are managed by business teams instead of IT, and business managers usually don’t recognize the size and scope of these risks. Ultimately, it is the CISOs and their security teams who must ensure that sensitive data is secure, and find the right balance between security and business agility.  

Keeping this balance in mind, as a first step to securing SaaS, many organizations adopt a single sign-on (SSO) solution to offer employees access to multiple applications with a common set of credentials. Most SSO solutions also support multi-factor authentication (MFA), a great defense against authentication related attacks. 

Moving up to the next level of security requires a strong focus on the security posture of an application. At this level, in-depth visibility into how applications are implemented reduces the exposure to security and compliance gaps. Ensuring that APIs aren’t leaking data, that rogue integrations haven’t been on-boarded, that users have the least privilege permissions they require to do their jobs and that other myriad configuration attributes are properly set is the IT security equivalent of closing all windows and locking all doors … but at a much, much larger scale. 

In fact, the scale is so large, and the integrations and interactions between SaaS applications are so complex, it would be impossible to manually assure that everything is properly configured. Organizations need an intelligent, automated solution to cover this foundational level of compliance and security.

There’s much more to SaaS security than this, but these two steps — enabling SSO/MFA and deploying an automated solution to validate application implementations and ensure that all apps are properly configured — provide the fundamental foundation to scaling SaaS usage. We’ll have much more to say here about SaaS security in the coming weeks.