This guest blog was contributed by Adaptive Shield.
Today, most security teams understand the shared responsibility model, in which the SaaS vendor is responsible for securing the application, while the organization is responsible for securing their data. However, determining who within the organization is responsible is not that clear cut.
Finding the right security model is the first step before deploying any type of SSPM or other SaaS security solution.
Getting to Know the Players
There are several different stakeholders involved in the SaaS security ecosystem.
SaaS App Owners – When a business unit adopts a new SaaS app, someone from within that unit is responsible for setting up and onboarding the application. While they may have some help from IT, the application is their responsibility.
They set configurations that align with their needs, as well as add relevant users. SaaS App Owners recognize the need for data security, but it isn’t their main focus.
Central IT – Most businesses have a Central IT that is responsible for things like infrastructure, hardware, and passwords. They manage IDP and servers, as well as oversee help desk activities.
Central IT is more familiar with security requirements than the average employee, but SaaS applications typically do not fall under their direct domain. However, it is important to keep in mind that they aren’t security professionals.
Security Teams – The security team is the natural fit for implementing security controls and oversight. They are tasked with creating and implementing a cybersecurity policy that applies across the organization.
However, they have several challenges inhibiting their ability to secure applications. For starters, they are often unaware of SaaS applications that are being used by the company. Even for applications that they are aware of, they lack access to the configuration panels within the SaaS stack, and aren’t always aware of the unique security aspects associated with each application. Those are controlled and maintained by the SaaS App Owners and Central IT.
GRC Teams – Compliance and governance teams are tasked with ensuring that all IT meets specific security standards. While they don’t play a specific role in securing corporate assets, they do have oversight and need to determine whether the company is living up to its compliance responsibilities.
SaaS Vendor – While the SaaS vendor is absolved from any responsibility to secure the data, they are the team that built the security apparatus for the SaaS application, and have a deep knowledge of their application and its security capabilities.
Defining Roles and Responsibilities
Securing the entire SaaS stack requires close collaboration between the security experts and those managing and running their individual SaaS applications. We developed this RACI chart to share our perspective on the departments that are responsible, accountable, consulted, and informed about the different tasks involved in securing SaaS data.
This table is a framework based on the way we see many companies handling their SaaS security roles. It should be adapted to the needs of your organization.
###