What HR needs to know about SaaS security
Compliance and Security
How much do you know about SaaS security? How secure is your business on the cloud? Every employee SaaS account is a potential point for a cyber-attack, and data loss. Your businesses’s data might not be as secure as you think.
The average small-to-midsized company uses about 100 SaaS apps (your company might be using more or less). This means your company’s data is scattered across 100 different servers on the cloud. How safe is your business data on these platforms, who can access your data, how easy is it for hackers to break in?
There is also shadow IT; every team or team member in your company buying the SaaS products that they need and integrating them into their workflow without company approval. This unofficial and unauthorized access to your data is one way that many security problems begin.
The convenience of using SaaS over on-site software and resources can sometimes make companies overlook how exposed cloud solutions make them.
Who is in charge of SaaS security control in your company?
Typically, SaaS Security is overseen by an IT department, but HR has a lot to do with SaaS security. By 2022, Gartner projects that as much as 95% of cloud security failures will be the customer’s fault.
9 out of 10 data attacks that you may encounter will not be the problem of the SaaS vendor, but that of your employees. Because the end-user is often the security fail-point, it falls to HR to be aware of and work against potential data loss.
What does this mean for HR and the entire organization?
More SaaS accounts/seats means more security issues to worry about.
Proactive measures have to be put in place to avoid security breaches and minimize SaaS security risks.
HR is responsible for onboarding new employees, providing them with the accounts for the SaaS applications that they need and giving them access to the company data they’ll be working with.
Every employee is an extra-hand to your workforce, it is also a new loophole through which attacks can be made on your company if appropriate SaaS security controls are not taken. As the first team a new employee works with, and the team responsible most generally for employee matters, it is incumbent on HR to provide the basics of SaaS security.
SaaS security is one of the major hindrances to the full adoption of the software as a service model.
Why do SaaS products carry risk?
Nowadays, there is a SaaS product for virtually anything you want to get done. This means thousands of SaaS products floating on the cloud with sensitive business data.
SaaS apps bring a lot of flexibility and agility to how you do work as well as a lot of security challenges. These are some of the reasons SaaS products are risky.
In the days of on-site computing, your company would have a dedicated server on the premises where all your company data is stored. This server could only be accessed by employees of the company physically, or through a dedicated/private network. Dedicated servers are fading away in our cloud-y days.
With virtualization, single servers hold the data of multiple clients and run multiple virtual machines. This approach is cost-effective but the security downside is significant. For example, if a hacker attacks a server through one of the machines or platforms running on it, it puts all the other platforms, virtual machines, and data running on the server at risk.
Your employees can access your data and the SaaS applications they work with from anywhere, at any time and from any device. This is certainly a plus from a productivity point of view, but from an IT and security standpoint, it poses a serious security risk to your company. For starters, it’s virtually impossible to prevent employees from accessing apps and data from a public network, creating multiple access points for malicious activity. Additionally, the distributed nature of this access means getting to the bottom of discovered issues is an exponentially greater search than it once was. That makes preventative security training from HR more important than ever before.
Lack of data control
You do not have control over your business data, your SaaS vendors do. You’ll want to have (and be familiar with) a data-processing agreement with each of your vendors. There is no single structure to follow for every DPA, but GDPR regulations prescribe a general template that can be found here.
What are the consequences of an insecure SaaS environment?
Exposure to cyberattacks, loss of business and customers’ data. Your business’s most valuable asset is your data and your reputation, both of which are in danger from a cybersecurity breach.
What can HR do to improve SaaS security control?
Your user could be the weak link in your security chain. Most SaaS users have a rudimentary understanding of SaaS use and security best practices. While software security was once the responsibility of an IT department, software is now far too distributed for one department to handle. That’s why we recommend collaborative IT: IT working in tandem with HR, finance, operations, and team leaders to ensure a secure SaaS environment.
These are some of the steps HR can take to improve SaaS Security.
Educate employees on SaaS use and security best practices
HR can educate their employees on SaaS use and security best practices, as well as the use cases and the possible downsides of SaaS. Team leaders working together with IT and HR should organize training sessions to educate the entire workforce on SaaS security best practices.
HR can collaborate with IT to develop a SaaS security architecture and governance policy
The goal of developing this policy is to ensure only authorized users access data on the cloud via role-based access framework that ensure employees only access datasets that they’re authorized to. Data loss prevention, logging, and tracking of employee activities on the cloud to ensure sensitive information is not stored or shared insecurely. HR can work with IT to create a complete outline (and a SaaS security checklist) of all the security measures that will be taken on the access, identity, operational and machine levels of using various SaaS products in the company.
Carry out an extensive SaaS security audit on SaaS vendors before purchase
Auditing the next SaaS product you want to onboard for your company is very important to certify how secure they are and the security standards that are put in place. A usable audit might include checks on the vendor’s SaaS security certifications, compliance with data security and privacy regulations, data encryption policies, data segregation policies, data loss policies, etc.
Dig deep on the SLA of every SaaS vendor you want to go with
Before onboarding, any SaaS product, a proper study of the service level agreement should be done to ensure your company’s SaaS security requirements are met by the SaaS vendor, and all needed data loss and portability provisions are made.
Implement a clear-cut employee onboarding and offboarding process
Incoming employees should be provided with all the tools they need and given access to only the data their job description requires. Accounts owned by offboarded employees should be properly revoked and deleted from your SaaS stack to prevent unauthorized access to company data.
Get full visibility into your company SaaS usage
Shadow IT is still a major issue in companies and a major player in poor SaaS security control. HR should have complete visibility of all the SaaS tools used in the company. A clear-cut SaaS purchase and onboarding process should be enforced across all teams. Only licensed and approved SaaS products should be purchased, but this is often impossible in practice. A best bet is staying aware of all the SaaS products in your ecosystem, even the ones that are not expressly approved.
SaaS security standards to know
There are a number of security standards that guide the tech world: GDPR, ISO 27001, SOC 2, the upcoming CCPA regulations. Each of these is worth getting familiar with and learning what standards your SaaS vendors adhere to. Adherence varies widely by business size and vertical.