With the increase in SaaS adoption, IT departments are getting overwhelmed with how to manage the numerous security and data breach threats. Employees are installing SaaS apps on their own, they share files, set permissions and use data with no supervision or approval. With the SaaS stack growing on a daily basis, users switching teams, employees being hired or leaving, the SaaS systems management seems to be quite a challenge.
How can ITs set order in this chaos, minimize risks and establish control over the corporate environment? They need to create and execute specific SaaS systems security and risk management policies. Policies would help them identify sensitive data that may potentially be exposed to threats and secure it.
What are the policies, though?
Policies are guidelines that others are required to follow, rules describing the correct behavior in specific situations. If policies do not get followed - there should be a respective action towards the abusing person. Policies should be created per the organization’s needs and should direct and guide the users on the right actions to take and block them from doing actions that are deemed wrong.
What are the 8 most important SaaS systems management policies an organization should implement?
Regardless of the level of SaaS adoption, organizations should create and follow at least these 8 types of SaaS systems management policies to protect against data breaches and exposure of sensitive data:
User lifecycle management policies
User lifecycle management is one of the most repetitive and time-consuming IT tasks, involving a lot of manual efforts. Employees are switching teams, joining and leaving the organization, and the IT tasks related to onboarding, offboarding, calendar management, email forwarding, etc are overwhelming and slowing IT down. It is estimated that about a quarter of IT’s time goes in repetitive and manual admin tasks, reducing the IT potential to innovate and modernize.
There are two critical user lifecycle management policies that ITs should implement, to optimize time and costs spent, and increase productivity:
This policy includes the actions to be performed when a new hire is welcomed to the company. Those should include giving access to the tools he would need, access to shared files, folders and calendars depending on his role in the organization, having him join the appropriate groups, create a signature, etc. According to research, an efficient and straightforward onboarding process can increase the new employee retention rate with 82% and let the new hire be productive right from the start!
The offboarding policy includes the steps to be performed when an employee leaves the company. This is generally a more complicated and time-consuming process, requiring revoking of all access the employee has to company tools. It also includes resetting the user email password, enabling autoresponder, forwarding email, transferring ownership on files, folders, etc. An efficient offboarding process would prevent wasted SaaS costs for licenses that were not cancelled upon the user’s contract termination and potential security breaches from eventual unauthorized access.
Data Loss Prevention policies
Data loss prevention policies are especially important in the light of regulations like the GDPR, where solid fines and extensive reporting are required in case of a data breach. But the ease of onboarding a SaaS makes sensitive data very easy to expose - via mere overlooking of a setting. The following two policies would help against accidental loss of sensitive data:
Discovering and protecting sensitive content
Content discovery policies are aimed at identifying the movement of sensitive data across the organization and ensuring that data does not leave the organization boundaries. This policy is monitoring sensitive information like personally identifiable information, credit cards, bank account numbers, etc and ensures those are not stored in SaaS and remain confidential. Thus, the company ensures that it can meet legal, industry and regulatory compliance requirements, on one end, and on the other - protects against leakage of intellectual property and proprietary data like customer lists, patents, product roadmaps, etc.
File sharing policies
Sharing files publicly poses a significant risk for the organizations since the data in those files becomes easy to find on the web. Hence, organizations should establish clear policies on what information can be publicly shared. In cases when information identified as sensitive has been detected to be publicly shared, this policy should define the respective remedy actions to be taken.
Insider Threat Policies
It might be surprising, but the biggest threats for data breaches come not from external parties, but from organization insiders. Insiders can threaten the organization intentionally or not, but the extent to which they can threaten it is huge since they have so much knowledge about the company’s systems, business practices, infrastructure, etc. The insider threats can be malicious, done by accident, or compromised.
Threats caused by malicious intentions are not something rare. And the results from them can be disastrous, since the employee can have administrator privileges enough to affect the entire business operations of the company, for a pretty long time.
Accidental data exposure is not caused by malicious intentions. In this case the employee has access to specific data, and s/he exposes it externally, by accident. However, the results from such unintentional actions can also be huge.
Compromised data breach happens when an insider’s account has been compromised by hackers and those hackers, then, take advantage of the user’s privileges for access to the system, applications, etc.
What policies can be adopted to prevent insider threat attacks?
Prevention of email forwarding to external addresses
This policy should ensure that no forwarding of the corporate correspondence to personal mail boxes is allowed to the employees. In case of policy violation, the IT team should be alerted and immediate action taken like automatic disabling of the forwarding for example.
Prevention of sharing of information with competitor domains
This policy should ensure that data cannot be shared with domains identified as competitor domains. Thus, the company can minimize the risk of intellectual property data being stolen and used by competitors, causing damage like loss of competitive advantage, loss of revenue, huge legal fees and more.
Admin Permissions policies
These policies should ensure that everyone has just the right level of access they may need, and not more.
However, due to the simplicity of the admin options offered in SaaS tools, where there is a super admin and user role, with nothing in-between, often all SaaS all users end up being super admins. They are initially granted a user role, but due to restrictions imposed on simple users, they are frequently upgraded to super admins, so they don’t need to wait for specific actions to be performed by the IT.
Two admin policies help to minimize the administrator privileges given to just about everyone:
Super admin policy
The essence of this policy is to assign SaaS super admin privileges - which grant full permissions over the data like read, modify, delete, etc - only to the employees responsible for the IT, security, help desk. By limiting the users who have super admin powers, the organization can minimize the risk from data breaches, be it from insider employees or hackers.
Delegated admin permissions
This policy involves distributing the admin permissions among different employees based on their roles in the organization. Thus one employee would have access to specific admin settings, another would be able to access other options. Thanks to this least-privilege policy, employees can still do their job, while not having full access to the entire SaaS administration.
External Access policies
This policy relates to giving access to people outside your organization, like freelancers, partners, etc. Two policies can be created that can help limit access and minimize the security risks:
Groups for external members
Having external member groups allows to enable specific permissions for all group members, and also have all those external accounts in one place. The group can then be monitored and policies created that would remove each user after a specific number of days, unless he may need extended access.
Externally shared files
Externally shared files are files shared with people outside the organization. Potentially that could also be competitors, which can pose a huge risk for the organization. A policy regulating file sharing can require that no external users can be shared files identified to be holding sensitive data. When violation of this policy is caught, the file sharing should be immediately revoked.
Group Management policies
Groups are often used in organizations, to allow for easier collaboration on a team, business unit or company level. Often, organizations would allow everyone to create a new group, per their specific project or assignment needs. But groups can have numerous settings, and employees assigned as admins for those groups can easily oversee or misunderstand them, thus posing the risk of sensitive data becoming publicly accessible. What group membership policies can protect against such accidents?
Publicly available groups
In Google there is the option to create a public group, which means that anyone in the corporate domain can post messages, read archives, etc. But there is also an option which allows to make the group content publicly available on the internet, and have the full group content accessible to absolutely everyone. The public group policy should be monitoring for such ‘anyone of the web’ group permissions, immediately notify the admins and take action to change the group settings.
Appropriate group membership
Groups are indeed facilitating the collaboration inside departments, projects, teams, etc. But, it is important to ensure that everyone is only granted access to the groups s/he needs. Thus, an employee would not have access to the finance group if s/he is not working in the finance department. Policies that restrict the group memberships to the employees who need them would ensure minimization of data breach and security issues.
License policies ensure that the organization is not wasting money for licenses or license upgrades that are unused. Those policies ensure that license usage is being tracked and access is revoked or package is downgraded following the respective usage data. The policies that can be established here are:
Inactive user policy
SaaS licenses are usually billed per user. Hence, having licenses paid, for users which have left the company long ago or simply don’t need the license anymore, can create a lot of wasted SaaS expenses. The inactive user policy should check data such as the last login date, the last time a document was created, etc to identify that the user is no longer using the license and should then free the license up.
License assignment per department
It is common from employees in specific departments to be all using a certain SaaS stack for their job. Hence, a policy can be created that automatically assigns a set of department-specific licenses, as soon as a new employee joins that department.
The maintenance policy allows to keep your SaaS environment well-organized and cleaned from unneeded SaaS tools, on a regular basis. Because SaaS clutter is the basis for reduced productivity, chaos and poor user experience. What two maintenance policies can help you keep an organized and easy to use Stack environment, for example?
Clean-up of empty Slack or other communication channels
When a company is using a tool like Slack for communication, it can create numerous channels for different purposes. Frequently it can create channels for one-time events or temporary discussions which then get left by everyone, but the channel is staying. At some point, abandoned channels will pile up, creating confusion particularly for newly onboarded members. An empty communication channel policy may look for abandoned channels and remove them after a specific period.
Clean up of empty groups
Like with Slack, it is possible that groups are created in GSuite or Dropbox and they get abandoned after a certain period of time. Empty groups can confuse an employee and have him email the group, with no one actually receiving that email. Hence, an appropriate empty group policy should alert the IT and have them investigate whether the group can be closed.
Depending on your industry or business specifics, you may only need to implement a subset of these 8 policies, or have more policies added to those. If you want to find out how Viio SaaS systems management platform can help you implement those policies - reach out for a personalized demo.