According to reports, nearly 70% of enterprises were moving mission-critical business functions and processes to the cloud before the pandemic. In today’s new normal, that number has skyrocketed. Organizations increasingly rely on mission-critical cloud applications, such as SAP SuccessFactors and Salesforce, to help modernize business practices, streamline processes, and provide increased flexibility to adapt to work-from-anywhere initiatives.
However, to obtain the most value from these applications delivered through SaaS, PaaS, and IaaS cloud service models, enterprises often integrate and connect applications to ensure seamless information sharing. These connections can create a complex web that makes it challenging for IT and security teams to develop a clear understanding of risks.
With the lack of visibility, it’s not unrealistic that risk introduced in one application through misconfigurations, lapse in user privilege, or overlooked vulnerability can put an entire enterprise at risk. In order to keep businesses’ applications (and the sensitive information they store) secure and compliant, organizations need to first understand the risks with which they are operating and then ask some tough questions to ensure they’re keeping their business protected.
Security Concerns in the World of Cloud and SaaS Business Applications
To fully understand what risks look like, it’s helpful to consider everyday examples of typical business applications. Let’s look at popular solutions like SAP SuccessFactors and Salesforce, for instance.
SAP SuccessFactors is a leader in cloud human capital management and more than 150,000 businesses use Salesforce across the globe. These popular mission-critical SaaS applications process millions of employee, customer, financial and other sensitive data points each day. While each offering has security functionality built-in, it doesn’t consider the way organizations deploy, operate and integrate applications. It also doesn’t offer the depth and breadth of insight needed to analyze and address risks that could impact other processes and applications – from the core to the cloud.
For instance, neither application considers the following questions: What if system and security administrators can see and edit more than they should? What if staff members can create rogue users and assign elevated privileges? What if users can act as security administrators? What if a user uploads malicious content?
Lack of answers to these questions can lead to security, privacy and fraud problems with excessive authorizations, segregation of duties, user impersonations, misconfigurations, faulty integrations and more.
For SuccessFactors, without this insight, it’s difficult to know whether secure third-party systems are integrating to your instance of the HCM. Corrupt third-party applications could intercept and modify files or even try to utilize existing connections to get into your SuccessFactors instance and obtain sensitive employee, payroll, and hiring policy information.
Additionally, losing sight of privileged authorizations in a solution like Salesforce could result in an unauthorized user viewing sensitive customer, sales data, pricing and financial information. If a bad actor did this, they could even export data on a mass scale, causing severe privacy concerns (think GDPR) that can be detrimental to a company’s bottom line and brand.
To combat these risks, it’s time for IT and security teams to ask some tough questions to keep these robust solutions safe.
Any IT, security and compliance team that’s looking at a complex, interconnected application ecosystem needs to take the time to ask these three key questions to ensure they understand what’s at stake and how to mitigate risk:
SaaS and cloud applications are revolutionizing the speed and how businesses around the world work. However, it’s essential to understand the risks that may be introduced by organizations while adopting these powerful mission-critical applications if not properly managed. While flexibility gains are important, misconfigurations, unauthorized or excessive privileges, and other vulnerabilities can cause breaches that derail an enterprise completely. Organizations should continue to ask these critical questions, follow security best practices, and partner with experts to address common application security and compliance pitfalls.
By Juan Pablo Perez-Etchegoyen