Veza releases access security, governance solution for SaaS applications

Data security authorization vendor Veza has announced a new solution for access security and governance across SaaS applications including Salesforce, GitHub, and Slack. Veza for SaaS Apps allows customers to automate access reviews, find and fix privilege access violations, trim privilege sprawl, and prevent SaaS misconfigurations – securing the attack surface associated with widespread SaaS app usage and enabling compliance with frameworks like ISO 27001 and GDPR, according to the firm.

Organizations maintain an average of 125 different SaaS applications, but IT is typically only aware of a third of those due to decentralized ownership and sourcing, according to Gartner. As SaaS apps grow in popularity, security teams face significant challenges in managing and protecting the spread of data they use, with security and governance typically failing to keep pace with the rise of SaaS app usage. Securing access is complicated due to app-specific role-based access controls that many SaaS apps use. Meanwhile, SaaS apps are vulnerable to privilege sprawl and risky misconfigurations if security teams lack visibility of them.

Veza for SaaS Apps features privileged access alerts, access control misconfiguration detection

Veza for SaaS Apps enables customers to secure sensitive data in SaaS apps against breaches, ransomware, and insider threats, Veza said in a press release. It integrates with 15 popular SaaS applications including Salesforce, JIRA, Confluence, Coupa, Netsuite, GitHub, Gitlab, Slack, and Bitbucket via an out-of-band approach designed for increased flexibility, the firm added.

Capabilities of Veza for SaaS Apps include:

• Privileged access monitoring alerts security teams of new grants of privileged access and privilege drift in SaaS apps, including new local admins in Salesforce. The solution monitors both human identities and machine identities like service accounts and third-party integrations, according to Veza.
• User access reviews and entitlement certifications automate the identity governance and administration process of periodic access reviews. The solution uses workflow rules to route requests for certification and provides decision-makers with authorization context to choose the least-permissive role, the company said.
• Monitoring of SaaS apps scans for administrative misconfigurations and policy violations with over 100 pre-built queries to monitor and detect common misconfigurations in permissions and access controls. As an example, the solution will alert the security team when users have access to sensitive data but do not have multifactor authentication (MFA) enabled.

SaaS growth introduces cybersecurity shifts for organizations

Last October, the Cloud Security Alliance published SaaS Governance Best Practices for Cloud Customers, a whitepaper outlining a baseline set of fundamental security and governance practices for SaaS environments. It stated that organizations should develop SaaS-specific security strategies and architectures that guide the deployment and maintenance of SaaS applications, built around governing evaluation, adoption, usage, and termination of SaaS services.

Organizations also need to ensure they consider SaaS providers as part of their third-party risk management programs and that incident response and business continuity plans and processes are updated accordingly, the guidance added. “The SaaS environment ultimately presents a shift in the way organizations handle cybersecurity that introduces a shared responsibility between producers and consumers. Failing to adjust accordingly can have devastating consequences such as disclosing sensitive data, loss of revenue, customer trust, and regulatory consequences,” the document read.