As business-critical applications move to the cloud, who’s checking to ensure these connections are secure? As more critical functions are being performed off-prem to support a tidal wave of at-home workers,Â Jason Fruge, Vice President of Business Application Cybersecurity, Onapsis, outlines best practices to address these cybersecurity concerns.Â
As the â€œwork from anywhereâ€ model continues to gain traction, more and more businesses are turning to Software as a Service (SaaS) systems for their mission-critical applications. These organizations are now sharing an increasing amount of sensitive data across on-premises, hybrid, and cloud applications. As companies look to cloud solutions like Salesforce, Oracle ERP Cloud, SuccessFactors, and Workday to gain flexibility and ease of access for employees, they could also be unknowingly open new risks for their business. The reason? To take full advantage of these mission-critical applications, many of these systems become interconnected. For example, companies often send customer information from an on-premises SAP system to a Salesforce application.Â
In the current complex and extended enterprise, who checksâ€¯to ensure these applications and their inter-connections are secure? This grey area and lack of visibility into the interconnectedness of applications and critical business processes create blind spots for CISOs. To reclaim control and gain visibility into those blind spots, CISOs don’t need to reinvent the wheel.Â
But they do need to start mapping the extended environment and engage in security best practices. In this article, we list down four cybersecurity best practices to secure business-critical applications.Â
Realize there is a people problem: The people who purchase and deploy SaaS applications aren’t necessarily concerned with enterprise security. Look at HR, for instance. This department provisions and de-provisions users, provides payroll, connects to other internal apps, and more. But are they doing these things securely? Additionally, because the controls for managing mission-critical applications can be done from a dashboard by people who have very little cybersecurity training, they may not know how to keep the overall enterprise protected. A lack of knowledge about best practices may result in a misconfigured application, putting the enterprise at risk.Â Â
Conduct a vulnerability assessment: Because most organizations have several SaaS applications, cloud security can be difficult to achieve. Moreover, at some companies, the people who purchase cloud-based applications don’t consult with security personnel before installing the applications. While many enterprises think their current security approaches are enough, an IDC survey found that 64% of companies have experienced mission-critical application security breaches in the past two years.Â Â
The first step to fixing a problem is knowing what the scope of the problem is. Start by mapping your SaaS landscape. This cloud asset map will help you understand all the SaaS tools being utilized in your enterprise. Based on the cloud asset map, CISOs should conduct a vulnerability assessment to identify the most critical applications that contain the most sensitive pieces of information. They can use the assessment to develop, prioritize and expedite remediation plans.Â
Establish proper access controls: The pandemic accelerated the work-from-home model, creating additional concerns about who was accessing the business applications. With more people logging on remotely to access SaaS and cloud-hosted applications, security concerns rose. In some cases, employees figured out workarounds to escalate their privileges. A user with unauthorized privileges could access and steal valuable company data. Many data breaches happen because companies do not properly delete inactive accounts or unknowingly provide privileged access to employees who should not have a high level of clearance. Unauthorized users can result in security breaches that make headlines. To close these vulnerabilities, security leaders must continually monitor who is accessing mission-critical applications and if they have the right least privilege access.Â
Institute continuous monitoring controls: Due to the interconnectedness of SaaS applications, a vulnerability or misconfiguration that can be exploited in one application can be used to access sensitive data throughout the company’s network. Not every third-party application has the strongest security best practices. A failure to update a patch in one system can expose everything from a company’s financial data to its new product development plans. In addition to the security issues of having so much data spread across the cloud, companies improperly storing data can run afoul of compliance regulations like Sarbanes-Oxley and privacy-related mandates like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act. Continuous monitoring provides an awareness of threats to the enterprise, identifies actions that might expose sensitive information, and helps organizations quickly respond to compliance or security failures. By performing routine code, application and system maintenance, patching, and modernizations, CISOs can control and mitigate operational risks.
In 2021, companies will continue the mass migration of business applications to the cloud. These interconnected apps that manage payroll, vendor information, and other mission-critical data can introduce security and compliance risks for many organizations. Because the technologies are easy to use, they are also easy to misuse.Â Â
Often, companies rely on security from cloud providers, but that’s not enough. To protect their digital assets, many companies are increasing their spending on cybersecurity. But are they spending the money in the right places?Â Good CISOs understand the value of digital transformation, and they also know that it comes with risks. To mitigate those risks, CISOs must start by realizing that they have a problem.Â Because the people who are using these mission-critical applications may not follow cybersecurity best practices, CISOs should conduct a vulnerability assessment and establish proper access controls. Once that has been completed, security leaders should adopt a continuous monitoring regiment that preferably happens once a week.