December 3, 2021

Last Updated on January 19, 2024

According to IDC research, nearly 80% of CISOs surveyed acknowledged one or more cloud data breaches in the prior 18 months, with 43% reporting 10 or more breaches. Misconfigurations and lack of visibility into identity and access settings and errors were the CISOs’ top cloud concerns and causal factors.

In this scenario of rampant visibility and control insufficiency across customer-managed cloud resources, what can SaaS vendors do to reduce the alarming rate at which their customers are hacked? Is there a way to reduce customers’ security responsibilities and/or help them get a grip on what they inevitably must manage on their own?

To discuss the evolving balance of shared security responsibilities for cloud security, Mark Richman, Principal Product Manager at iManage, was our guest on a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

The “shared responsibility” model for cloud security

With any public cloud SaaS deployment, the vendor handles a wide range of security tasks, but the customer inevitably has some security responsibilities as well. SaaS customers are almost always accountable for:

  • The data they store in the application
  • The mobile and desktop devices/endpoints that access the application
  • Their users’ accounts
  • Identity and access management

But within that broad framework, customers are increasingly looking to vendors to take on more responsibility for security.

“Certainly, for things like accounts and identities, devices and things like that, and to a certain extent management of the data, the customer has responsibility,” says Mark. “But we design our architectures and provide tools that put capabilities in the customers’ hands to really have a good understanding and good insight into those things.”

A balancing act

Mark explains that leading SaaS vendors are looking to offer customers some choice about what security responsibilities they want to take on.

“One example of that could be around encryption,” Mark notes. “In our platform we have a default encryption model that is foundational to the platform. But we also provide the ability for a customer to take on ownership of the primary keys for encryption management of all that content, so that they have full control.”

“We’re trying to balance with our customers, to take on a lot of that operational responsibility, but also give customers some flexibility to take on pieces of that where it makes sense for their business and for their amount of risk tolerance,” clarifies Mark.

Compensating controls

Giving customers a choice about security responsibility is a good thing. But the customer’s overall security posture still comes into play.

As John observes: “If they don’t manage the authentication and authorization process right on their side… we can provide additional levels of controls to help them. As an example, supporting multifactor authentication, which reduces the burden on them in terms of mistakes [e.g., credential theft] being less likely to cause an impact. You’ve got all this highly sensitive data [in your SaaS application], and you can keep that as secure as Fort Knox. But when the customer brings that back into their environment, if they don’t do the right things, there’s really not much you can do other than make sure they understand what their security responsibilities are.”

“If someone doesn’t enable two-factor security, or if they have configured an insecure password… We can suggest minimum password requirements and so forth. But if they don’t adopt those best practices, there’s very little that we can do to intercede there,” Mark concedes. “We have a whole series of best practices that we communicate out to our customers, and we have a whole partner ecosystem that can also help with best practices around configuring and securing the application. We also have sets of tools that help mitigate some of these things as well.”

Containing the damage

The sophisticated security tools that iManage offers include automated security policy management, which can automatically reset changes to security settings on documents that violate policy. iManage also offers threat analytics to alert on unexpected user behavior patterns.

Capabilities like these don’t solve or counteract every security problem, like misconfiguring access controls or setting up insecure passwords. But they can help contain the damage and reduce overall cybersecurity risk. Those are big wins for SaaS customers and significant differentiators for leading SaaS vendors like iManage versus both cloud and on-premises alternatives.

What’s Next?

To hear the episode with Mark Richman from iManage all the way through, click here: LINK

For expert guidance on how to validate a cloud vendor’s security posture, we recommend this podcast with SaaS security consultant Ryan Buckley:

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!