What is SaaS?
SaaS applications provide tremendous value to end users. SaaS delivery will nearly five times more outpace traditional software product delivery.
One of the three main cloud computing categories alongside infrastructure as a service and platform as a service, software-as-a-service (SaaS) is a web-based software distribution model in which a third-party provider hosts applications that it makes available to customers over the internet. The software vendor hosts and maintains the servers, databases, and code that constitute an application.
SaaS applications are available for foundational business needs, including email, customer relationship management, billing, sales management and collaboration, among others. Pricing is typically based on annual or monthly subscriptions, accounting for the software license, support and most other monetary costs. Leading SaaS providers include Intuit®, Microsoft®, Oracle®, Salesforce® and SAP, among others. Providers often integrate with each other to augment productivity for customers. For example, a provider that offers an email application might store attachments in another provider’s cloud-based file storage.
The Value of SaaS…and Some of the Security Concerns
SaaS applications provide tremendous value to end users. Research firm IDC predicts SaaS delivery will significantly outpace traditional software product delivery, growing nearly five times more quickly than the traditional software market, with expectations to surpass $112.8 billion by 2019. Why? The economics of SaaS, and cloud computing in general, empower enterprises. SaaS offers easy setup and collaboration capabilities that change the way organizations do business, allowing employees to access the tools they need to effectively do their jobs and essentially putting enterprise customers back in control of IT spending.
However, while incredibly useful for driving business productivity, along with this exponential growth in SaaS application usage come security concerns much like those faced in traditional on-premise network infrastructure. For example, Microsoft OneDrive® or SharePoint® is used to easily store and share files, but along with the ease of use are opportunities for accidental shares, when a user unintentionally sends access to the wrong people.
Similarly, applications like Exchange and Salesforce easily store important, structured data for users, but these too are open to accidental data exposure or threat insertion risks, often acting as vectors or entry points for malware, which can spread over time. For example, if a sales representative uploads an infected invoice document to Salesforce, a sales operations person who downloads the file will also become infected, and so on.
Reducing this type of risk in SaaS applications, where organizations’ most sensitive data often resides, is key to securing enterprise IT infrastructures of the future. As a result, governance and protection of this data has catapulted to the top of CISOs’ priority lists.
The Continued Evolution of SaaS Security and Onset of CASB
As businesses have become increasingly concerned about the volume and sensitivity of data being transferred, stored and shared within SaaS environments beyond their visibility and control, the result has been a rapid evolution and adoption of the cloud access security broker market. A CASB accesses cloud-based services, primarily focused on addressing security gaps within highly productive and collaborative SaaS applications, where traditional security products have not been able to keep pace. Driving its popularity, a CASB provides organizations with three key SaaS security functions:
- 1. Visibility into SaaS usage
- 2. Control over SaaS access
- 3. Compliance and visibility within the SaaS cloud
More information on these security features can be found in “SaaS Security: A Next-Generation Platform Approach.”
CASB Architecture and Deployment Options
A CASB can typically be deployed as a service – a SaaS application in the cloud – or as a virtual or physical appliance. There are several modes by which a CASB can deliver its functions – outlined below. In addition, note that a combination of these options is recommended to ensure maximum security.
- Next-Generation Firewall: This method leverages user, content and application inspection features within firewalls to enable CASB functions. The inspection engine should be capable of mapping users to applications and deliver granular control over SaaS application usage. Beyond physical appliances that may already be in place, virtual firewalls can act as gateways in the cloud to ensure maximum global coverage for remote users, eliminating the overhead of deploying additional hardware.
- Proxy: This method typically requires an organization to force all internet-bound traffic to the proxy to enforce granular SaaS access policies, and can be deployed as an appliance or a cloud service. Organizations often require endpoint agents or proxy auto-configuration files to ensure traffic is redirected correctly to the proxy service. Plus, a proxy typically only looks at web traffic, and can be bypassed easily with tools that don’t use HTTP-based connections (e.g., Tor client).
- API Mode: This method gives the CASB permission to access the customer’s data within the cloud application via application programming interfaces (APIs). Organizations can use this mode to perform several functions, including data security inspection on all data at rest in the cloud application or service. The SaaS user experience is preserved as the API is non-intrusive and does not interfere with the data path to the SaaS application. This mode is critical and should be included in every CASB offering to provide instant value without modifying existing infrastructure.