I’m the co-founder and CTO of Atmosec, which is now under the Check Point umbrella. I’m driven by helping companies confidently secure the adoption, usage and management of any business application across their organization.
In this interview, gain valuable insights from SaaS security expert Misha Seltzer as he explores the dynamic landscape of today’s SaaS ecosystem. Uncover best practices, cutting-edge vendor innovations and clever solutions that can help you overcome challenges and empower your business to confidently pursue new opportunities in 2024. Don’t miss this!
What are you currently seeing in terms of how the SaaS ecosystem is evolving? Are there any new risks that you’d like to speak to?
a. The main shift that we’re seeing is the move from using a small number of larger SaaS services, to a large number of smaller, more dedicated, services (in addition to the large ones). If in the past, you’d expect just a couple of SaaS services per department (GitHub for Dev, Salesforce for Sales, HubSpot for Marketing), you now find tens, if not hundreds, of smaller dedicated services per department, with many overlapping services.
For example, in a single marketing department, and for email marketing alone, you may find HubSpot as the main platform, with ZoomInfo for email targeting, Mailchimp for email sending, Yesware for email tracking, CopyAI for generating email content, and Marketo for automation and coordination between them.
b. We see two main trends in the way companies are dealing with the above change: Some companies embrace the change and are scrambling to do whatever possible to secure it, while others try to disallow any SaaS service that is not on a predefined allow-list. The problem with the second approach is that many of the newer SaaS services are very cheap to use, if not free-to-start, and employees just start using them without asking for permission.
c. The primary new risk with the above is that it’s no longer enough to secure the main SaaS services that are used in an organization. A more comprehensive security solution is necessary to overlook the plurality of the smaller SaaS services that usually have smaller security budgets, worse security practices, but still have access to sensitive organizational data.
d. This new risk, is in a sense a SaaS supply chain risk, and we already see it being abused by malicious actors, as in the case of the (already not so) recent attack disclosed by GitHub, which targeted Heroku and TravisCI (link)
What are the corresponding implications for security? Can you share insights that could assist C-level security leaders?
a. It’s very clear to most security leaders that SaaS security is something that can’t be ignored anymore. With that said, most practices revolve around securing the main SaaS services of the organization. While this is very important indeed, securing the main entrance while leaving the back door open is not enough. To secure SaaS, companies must secure the whole ecosystem (the whole house) rather than just the main services and user access (the front door).
b. I think that if I had to choose one insight to suggest to security leaders, it would be to accept the reality that a lot of SaaS services will be used in the organization, and it’s time to find ways to secure the ecosystem as a whole, rather than trying to limit the number of SaaS services used to the number of services that we can secure right now.
With so many SaaS services and apps out there, how can we expect security teams to keep up with all of them?
There is absolutely no way that a security team, no matter how big and well-funded, will be able to get a full grip on the number of SaaS services that can be used in an organization. And even if such coverage can be attained, it will not hold, as services change all the time (new services appear, old one get tossed). Furthermore, we can’t even expect experts of SaaS security providers to have this ability. As such, the solution must be a technological one. It just happens to be that we live in the golden era of Machine Learning and AI, and we can utilize those tools to better understand the different SaaS services that are used and their behaviors.
Where are cyber security companies, like Check Point, innovating when it comes to SaaS risk management?
It seems like many large cyber security companies have wizened up to the realities of SaaS usage, and the need for their security, in that they’ve started adding dedicated SaaS products. Those large companies, as per usual, have two options in front of them: Either try to implement yesterday’s solutions, or buy a startup that provides tomorrow’s. As we can see, while Palo Alto, and Microsoft have announced their SSPM products, Check Point bought a more comprehensive SaaS security solution, that, apart from configuration, also covers many of the other security holes discussed above.
Another innovation, that we can see from multiple security providers, is that the solution to any security risk (SaaS or otherwise) cannot be fixed in a siloed solution. To secure one’s SaaS, a company must not only look at the SaaS service itself, but also at the users using that service (UEBA), at the users’ hardware (endpoint protection), at the communication between the user and the SaaS (secure gateway), and many other attack vectors. While we see a good effort from other security providers (like Microsoft and Palo Alto Networks) when it comes to integrating their SaaS solution with their CASB solution, I believe Check Point is taking the effort even further by also integrating their SaaS solution with the secure gateway, email protection, cloud protection, endpoint solutions and more.
Would you like to tell us a bit about the company that you co-founded, Atmosec? What drew you into this initiative?
While working for my previous employer, one of my responsibilities was technical partnerships and integrations with other products. In many cases, we’d go to a customer and tell them that, for technical reasons, we needed admin permissions to access their other systems in order for the integration to work. This indeed raised some questions, including “What are you going to do with those permissions,” for which we had a very nicely written document listing all the actions that we would take. The customer, in many cases, would review that document and say “Sure, that sounds reasonable,” in response to which I would always wonder, “Wait, that’s it? You’re not going to validate our claims?” just to realize that in most cases, the customers have no way of validating at all.
That got us wondering – in which other cases, do SaaS services communicate on behalf of users, without the users having any visibility into it. And we’ve uncovered a whole world of SaaS security problems…
In relation to SaaS security, what challenges do you believe that the industry will need to overcome within the next 2-5 years?
I believe that the SaaS sprawl and growth will not stop. Companies that try to slow it down, while being more secure on paper, will fall behind the ones that will allow it, and the latter will ultimately be more productive. As such, this is the time to brace yourselves, and embrace the SaaS sprawl.
In order to make an effective effort to embrace SaaS sprawl, and enter the world in which any employee can safely use whatever SaaS service they require to be productive, a couple of changes will have to be made:
i. A better monitoring and better controls/management of the situation.
ii. A way to empower the users to do the right thing in terms of security.
I believe that most employees wouldn’t want to endanger company’s data, and with the right tools in their hands to understand how to secure their SaaS usage, they’ll be willing to cooperate. We’ve successfully achieved that model with the shift-left approach to DevSec. It’s time to do the same for the rest of the organization.
Is there anything else that you would like to share with the Check Point Cyber Talk audience?
My journey with Atmosec was one of continuous innovation, transforming the way we secure SaaS applications. Today, that passion is reignited as I embark on a new chapter with Check Point. The company’s unparalleled expertise and diverse portfolio opens doors to previously unimaginable possibilities, and I’m eager to share the amazing solutions we’ll develop together. The possibilities for innovation are endless. Get ready for a revolution in SaaS security.