5 SaaS security best practices

5 SaaS security best practices

Just about anywhere you look, organizations are relying on Software-as-a-Service (SaaS) apps like Dropbox and Hubspot to help power their businesses. With more SaaS apps, however, comes increased security risks.

While SaaS is without a doubt the easiest and most accessible way for businesses to reap the benefits of the cloud, these services are delivered online—which can make it easier for data leaks to happen or threat actors to get a hold of sensitive data. In fact, 43 percent of organizations have dealt with one or more security incidents caused by a SaaS misconfiguration

You might be asking yourself though: Doesn’t my cloud provider take care of security for me? Well, yes and no.

Your cloud provider will protect your cloud infrastructure in some areas, but under the shared responsibility model, your business is responsible for handling things such as identity and access management, endpoint security, data encryption, and so on. 

The good news is that there’s a set of SaaS security best practices to help keep your business from becoming another statistic. 

Whether your business uses Office 365, Salesforce, Google Drive, or another SaaS app, this blog will help guide your journey to SaaS security with five best practices.

1. Manage SaaS sprawl 

You might be surprised to find that our journey into SaaS security begins not with an answer, but with a question: are you suffering from SaaS sprawl? 

SaaS sprawl is a situation where a business is bloated with so many different (and even duplicate) SaaS apps that IT can no longer manage them effectively. 

Most departments now have 40 – 60 SaaS tools each, with 200+ apps at the company level—and for small businesses, only 32 percent of these apps are IT-approved. Not only does SaaS sprawl waste money, but it has security risks as well. 

For one, SaaS sprawl makes it harder for IT and security teams to ensure compliance or identify security risks that expose sensitive data. Admins just don’t have the time (or the visibility) to individually check and update potential issues for each app. 

Another issue is that SaaS sprawl and “shadow IT” (i.e. SaaS apps that have bypassed IT’s typical vetting procedures) are closely related—the more shadow IT, the worse the SaaS sprawl. As if trying to manage a ton of authorized SaaS apps wasn’t enough, IT teams don’t even know about the unauthorized ones—and they definitely can’t fix what they can’t see!

All of this is to say: tackling SaaS sprawl before anything else will make it easier for you to get into the more granular aspects of SaaS security. Some best practices to manage SaaS sprawl include:

  • Discover all apps: Regularly audit all SaaS apps being used across the business, IT-approved or not.

  • Create a vetting process: Have a consistent method to audit app requests for security, compliance, and other details.

  • Educate employees: IT should regularly caution employees about the risks of using unauthorized apps. 

  • Bridge the gap between IT and other departments: Put a process in place that allows team members to freely approach IT with new apps they wish to use.

2. Use Single Sign-On (SSO) paired with Multi-Factor Authentication (MFA)

SSO is a nonnegotiable security requirement for any company with more than five employees.

SSO solutions such as Okta, Duo, and Microsoft Azure Active Directory (AD) allow you to access all SaaS applications after entering your credentials just one time. Not only is SSO more convenient for end users, but it gives IT and Security teams the ability to effectively manage user accounts across dozens or hundreds of vendors

SSO also makes it much easier to enforce Multi-Factor Authentication (MFA), a crucial extra level of SaaS security, across all of your accounts.  

After signing in using SSO, for example, a user is prompted with MFA to confirm the session using “something they have” (i.e by receiving a push notification or text on their phone). 

3. Manage identity and access to SaaS applications

Each user in a cloud environment has their own roles and permissions governing the access they get to certain parts of the cloud, and because SaaS workloads are accessed online, all hackers need are your credentials to get the “keys to the kingdom.”

This is why strong identity and access management (IAM) policies are so essential to cloud security.

Identity and access management is a means of controlling the permissions and access for users of cloud resources. You can think of IAM less as a single piece of software and more of a framework of processes, policies, and technology. Some IAM best practices include:

  • Removing dormant accounts

  • Only giving privileged access to those who truly need it

  • Enforcing strict password policies 

According to Palo Alto Networks, most known cloud data breaches start with misconfigured IAM policies or leaked credentials.

Specifically, researchers found that IAM misconfigurations cause 65 percent of detected cloud data breaches, with the runners up being weak password usage (53 percent) and allowing password reuse (44 percent).

4. Use a strong cloud malware scanner

Did you know that malware delivered through cloud storage apps such as Microsoft OneDrive, Google Drive, and Box accounted for 69 percent of cloud malware downloads in 2021?

It can be difficult to monitor and control all the activity in and out of SaaS cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. 

That’s where cloud storage scanning comes in.

Cloud storage scanning is exactly what it sounds like: it’s a way to scan for malware in cloud storage apps like Box, Google Drive, and OneDrive. And while most cloud storage apps have malware-scanning capabilities, it’s important to have a second-opinion scanner as well.

Reduce risk from cloud-based malware today

A second-opinion cloud storage scanner is a great second line of defense for cloud storage because it’s very possible that your main scanner will fail to detect a cloud-based malware infection that your second-opinion one catches. 

Look for a third-party cloud storage scanner that aggregates threats across different vendor’s repositories and uses multiple anti-malware engines when scanning files.

5. Define your Software Security Edge (SSE)

In 2021, Gartner introduced the concept of “Security Service Edge” (SSE),  which they defined as an evolving stack of different cloud-based security tools to secure access to the internet, SaaS and specific internal applications. A subset of Secure Access Service Edge (SASE), SSE can help you with SaaS security using tools such as: 

  • Zero Trust Network Access (ZTNA):  ZTNA is an IT solution that secures boundaries around SaaS applications. With ZTNA, your business can enforce “least privilege” access to specific apps and ensure no users are given network access, eliminating unauthorized lateral movement.

  • Cloud secure web gateway (SWG): SWGs filter unsafe content from web traffic and hence can help prevent your SaaS apps from being compromised through a phishing attack, for example. Features include URL Filtering, application control, Data Loss Prevention (DLP), and anti-malware detection and blocking.

  • Cloud access security broker (CASB): A CASB sits between you and your SaaS provider, enforcing security policies and practices including authentication, authorization, alerts and encryption. CASBs offer feature sets across four pillars: data security, compliance, threat protection, and visibility.

  • Firewall-as-a-service (FWaaS): FWaaS is a firewall delivered via the cloud, acting as a barrier to prevent unauthorized access to the network. FWaaS inspects all traffic coming into your network (including SaaS app traffic) to detect and address threats.

SaaS security doesn’t have to be scary

No doubt, SaaS is here to stay. At the same time that businesses are reaping enormous benefits from the cloud, however, SaaS security is top-of-mind. With everything from shadow IT, misconfigurations, access management, and cloud malware threatening the security of your SaaS environment at all times, it has never been more important to adhere to a few best practices.

But SaaS security doesn’t have to be scary.

The combination of processes, technologies, and outsourcing outlined here can vastly improve your SaaS security posture for SMBs, helping to prevent a much-dreaded data breach. 

Malwarebytes EDR prevents, detects, and responds to ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats so you can avoid business disruption and financial loss. 

Complete cyberthreat protection starts here

More resources

Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories

Cloud data breaches: 4 biggest threats to cloud storage security

Cloud-based malware is on the rise. How can you secure your business?

Case study: Cloud-based environment now vulnerable to cyber-attacks


Bill Cozens

Content Writer

Bill Cozens is content writer for the Malwarebytes business blog, where he writes about industry challenges and how best to address them.