SSPM: System Hardening for SaaS

What Is SSPM?

SaaS Security Posture Management (SSPM) is a set of security tools that an organization’s security team can use to gain visibility and manage security for their Software as a Service (SaaS) applications.

SaaS is an increasingly popular model for consuming software. SaaS providers manage security via a shared responsibility model, in which customers protect their data and user access, while the SaaS vendor is responsible for the infrastructure, hypervisor, network traffic, operating system, and application management. Organizations can use SSPM to manage their side of the shared security responsibility for SaaS applications.

The security posture in a SaaS environment is the overall security status of software and hardware assets, code repositories, SaaS applications, data pipelines, networks, and services. SSPM enables system hardening, protecting applications from cyberattacks and allowing security teams to enforce security policies across a portfolio of SaaS applications. SSPM is a critical part of an organization’s ability to detect cyberattacks, mitigate incidents, and recover.

The Importance of SSPM

Cloud security is an umbrella term encompassing IaaS, PaaS, and SaaS. Gartner established the SaaS Security Posture Management (SSPM) category for solutions that evaluate security risk on an ongoing basis and manage the security posture of SaaS applications.

Organizations of all sizes depend on numerous SaaS applications – research shows that with 1,000 employees or more, an organization tends to have hundreds of applications. This complex structure creates a need for visibility. Given this, SaaS security configurations are becoming increasingly important.

Here are key challenges SaaS security needs to address:

  • Insufficient control over a growing portfolio of SaaS applications.
  • Insufficient governance in the SaaS application lifecycle: from purchase through to deployment, maintenance, and operation.
  • Insufficient visibility of configurations in SaaS application portfolio.
  • A skills gap in an accelerating, complex, and evolving cloud security environment.
  • Overwhelming workload required to monitor and evaluate hundreds to tens of thousands of permissions and settings.

The native security controls of SaaS applications are generally sturdy. Nevertheless, it is the organization’s responsibility to ensure that all configurations are set correctly—from user roles and privileges to global settings. If an unaware SaaS user shares the wrong data or changes a setting, they could expose confidential company information.

The security team needs to be aware of every application, configuration, and user, ensuring compliance with company and industry standards. Successful SSPM solutions answer these pain points and offer full visibility into the organization’s SaaS security posture. Such solutions automatically assess compliance with industry and company policies.

Certain solutions enable automated remediation from within the solution. This is an important capability that can reduce workloads and improve results for security teams.

A Complete Approach to SaaS Security

A comprehensive SaaS security approach should rest on the foundation of a properly understood SaaS environment. Security teams must understand who uses business-critical applications and various services and how they use them. This context is crucial for informing decisions about security posture management and threat mitigation.

The following measures are essential for providing well-rounded SaaS security.

Activity and State Data Consolidation

Before the security team can implement measures to improve an organization’s SaaS security posture and mitigate threats, it must understand all the SaaS applications used and their unique data schemas. This understanding enables the security team to make informed decisions.

First, the team must map all the entities and actions of each application in the SaaS environment, including files, users, permissions, roles, activities, and configurations. Once they’ve aggregated the relevant data, security analysts and responders must normalize and enrich it to conduct investigations across various applications. For example, all the data from disparate services should have a standard format and include relevant contextual information.

Proactive Application Posture Hardening

SaaS applications may vary widely in terms of configurations and user privileges. It is possible to optimize each application to minimize risks and mitigate the damage in the event of a breach. However, application owners often launch and manage services without assessing configuration settings or restricting access privileges. For example, they may grant privileged roles to many users to facilitate business operations.

The failure to prioritize SaaS security can expose business-critical SaaS services to more vulnerabilities and increase a breach’s potential impact. The security team must have clear, comprehensive insights into the configuration and permissions settings throughout the SaaS environment to minimize risk. Consolidating these insights in a central inventory makes it easier to keep track of and manage settings, prevent configuration drift, maintain least-privilege access, and improve the organization’s overall SaaS security posture proactively.

Continuous Threat Monitoring and Mitigation

Threat actors increasingly target the sensitive data stored in SaaS applications and leverage methods like cookie theft and session hijacking to bypass security measures (i.e., MFA and SSO). Therefore, the security team must maintain a continuous monitoring system to generate the necessary insights to detect malicious activity quickly and prevent or mitigate actions like data theft.

Organizations typically have multiple integrations connected to their core applications, so vulnerabilities in one service may enable attackers to access sensitive data in another. Security analysts must understand normal user activity in various applications—they can use the baseline of typical behavior to analyze behavioral patterns and identify anomalous activities that might indicate an insider threat or account takeover.

Incident responders can use additional layers of contextual information about configurations and permissions to delineate the scope of an attack and report incidents smoothly and quickly.

Conclusion: System Hardening for a SaaS Portfolio

In this article, I explained the basics of SSPM and described three practices that can help an organization achieve holistic system hardening for SaaS applications:

    • Activity and state data consolidation – use SSPM to gain a holistic view of activities and security statuses across the SaaS application portfolio.
  • Proactive application posture hardening – take proactive action, either automated or manual, to improve the security posture of applications.
  • Continuous threat monitoring and mitigation – it is impossible to mitigate all vulnerabilities, so continuously monitor and be ready to remediate additional vulnerabilities as they are discovered.

I hope this will be useful as you improve visibility, control, and security of SaaS applications.

By Gilad David Maayan

Data Bed.png
Disaster Recovery Plan.png
Recovery Experts.png
Episode 16: Bigger is not always better: the benefits of working with smaller cloud providers
The benefits of working with smaller cloud providers A conversation with Ryan Pollock, VP Product Marketing and Developer Relationships for - Everyone knows who the big players are in the cloud business. But sometimes, ...
Real-time Enterprise Software Data Enterprise software startups are capitalizing on real-time data to continually improve revenue, costs, cash flow, marketing, and sales as their business grows. The majority of software startup CEOs spoken with have ...
Yuliya Melnik
DevOps Services Outsourcing The sooner you release your unique idea to the public, the higher the chance that it will receive the lion's share of the audience's attention. Delays in development can lead competitors to ...
Jen Klostermann
The Fintech Landscape The Nitty Gritty Although the COVID-19 pandemic has highlighted its existence, most of us have been using fintech in some form or another for quite some time. It’s a big part of ...
Vulnerability Scanners Cyber security vulnerabilities are a constant nuisance and it certainly doesn't help with the world in a current state of disarray and uncertainty. Vulnerabilities leave businesses and individuals subject to a wide range ...
  • Plural Site


    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2


    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary


    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.