Aamir Sardar | Director Alliances, Thales DIS CPL
A perfect storm…
For several years now and especially post-pandemic, enterprises have shifted to a distributed business model, where employees, devices, computing and storage systems, applications and data have moved outside the traditional enterprise IT boundaries. In fact, today’s most successful companies are characterized by increased SaaS usage, with a growing percentage of critical business data running on SaaS apps. This is further augmented with an accelerated cloud migration, primarily towards multi-cloud deployments.
Of course, no good story is complete without some dark characters. Attacks on SaaS applications are at an all-time high. With a larger number of SaaS Apps across multiple cloud platforms to secure, operational errors and their associated risks start to grow. This creates an increased attack surface, placing a greater need on enterprises to improve their SaaS security posture.
Besides the evolving technology landscape, the business arena is also being shaped by a growing number of regulatory compliance requirements related to privacy and data protection, and the associated rise of data sovereignty mandates. Enterprises understand that without a well-crafted sovereignty and compliance strategy, they will struggle to unlock the true value of SaaS and the cloud in their operational jurisdictions.
All in all, while the growth of enterprise SaaS usage is accelerating, the threats against SaaS in the cloud will continue to become more hostile, requiring increasing effort to secure, posing significant challenges for enterprises.
It’s shaping up to be a perfect storm!
It’s a multi-cloud multi-SaaS world…
Multi-cloud is the norm now, and the Thales 2023 Cloud Security Study confirms this trend. On average, enterprises use 2.3 cloud platforms, which, while unlocking many benefits, also puts pressure on them as well as their SaaS providers to ensure seamless interoperability and support for SaaS data protection solutions across multiple cloud infrastructures.
Multi-SaaS use is also the norm, as more businesses are switching over from their legacy in-house applications. According to the same Thales study, enterprises use, on average, 97 SaaS apps. And once again, while the benefits are obvious, there is also an increasing reliance of enterprise SaaS users on their respective SaaS providers, to ensure that their customer and business critical data stored and processed in those SaaS apps is secure and protected from attack.
What makes it even more concerning is that over a third (38%) of the Thales study respondents say SaaS apps are the top target for cyberattacks, with cloud storage ranking second. Almost half (46%) acknowledged to experiencing a data breach in their cloud environment, most likely aided by an increasing surface area, greater operational complexity to manage multiple platforms, and the ever-growing presence and skill level of the attacker community, constantly increasing the pressure on enterprise security teams.
Needless to say, the time for enterprises to act is upon them!
But not everything is in the cloud…
However, not all corporate infrastructure is in the cloud. Similarly, not all data is stored and processed by SaaS apps. Despite the ongoing transition to the cloud, it will take enterprises several years to totally move away from their on-premises data centers. In fact, for some industry verticals, a full move may never happen. This is not due to being reluctant to promote cloud-first strategies, but due to factors such as a lack of interoperability with legacy apps. What this implies, as a consequence, for enterprises is that they must ensure support for data protection solutions that work and interoperate seamlessly across hybrid computing environments, i.e., a combination of workloads across on-prem and multiple clouds.
Bottom-line, in these hybrid-cloud and multi-cloud realities, enterprises will need to take ownership and control of the end-to-end security of their SaaS data, and it won’t be as simple as lobbing this problem over into court of the SaaS and cloud providers.
Data sovereignty requires attention…
Increasing data sovereignty requirements, especially in Europe, but also with the Americas and APAC following swiftly, will present challenges with requirements to control and manage where SaaS data is stored and used, and who has access to it. 83% of the Thales Cloud Security study respondents admit they are concerned about how data sovereignty can impact their cloud deployments.
The key to achieving data sovereignty lies in the data management capabilities of the underlying infrastructure on which the SaaS applications run. It is essential for the data custodian – the enterprise SaaS user – to have control over the workloads and applications associated with their data. This places a shared responsibility with both SaaS and cloud providers to provide compliance on tenancy, residency, and sovereignty requirements.
Which leads us now to the question: “What strategies for ensuring SaaS data security and compliance are being employed in the market, and what are the best practices?” In the next section, let’s look at a couple of the most prevalent and successful approaches.
Technology options for SaaS data security…
Although SaaS data security is a broad, multi-faceted domain, multiple schemes that require appropriate safeguarding of data, including GDPR, PCI-DSS, and HIPAA, have highlighted two primary areas: Encryption and Key Management, as “go-to” technology options for SaaS and cloud data protection.
Encryption and Key Management helps to mitigate against the threats of data breach by ensuring the Confidentiality, Integrity and Availability of sensitive data residing on SaaS apps, while providing compliance with industry standards.
It is a growing trend now that enterprises, especially large ones, prefer not to have their SaaS providers host and control their encryption keys. Instead, the growing majority prefer to hold their keys on premises through a hardware security module (HSM), keep management control of cloud-hosted keys, or use a combination of methods. Companies use these approaches to mitigate the impacts of any unauthorized access to their sensitive information on the SaaS platform, including preventing government agencies from gaining access to and unencrypting their data without first contacting them.
The evolving threat landscape has increased the expectations that enterprise SaaS users have from the respective SaaS providers to provide support for cloud-neutral data protection solutions such as Bring Your Own Encryption (BYOE) and customer-managed key management solutions such as Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK).
Bring Your Own Key (BYOK) is a popular approach, where the keys are hosted with the SaaS or cloud provider. Hold Your Own Key (HYOK) mandates hosting and managing the keys by the enterprise, which is fast becoming the most common option for greater control and sovereignty. Certainly, the ultimate strategy in securing data and apps in SaaS environments is Bring Your Own Encryption (BYOE), where the enterprise controls and manages the entire encryption and key lifecycle process.
How Thales helps enterprises and SaaS providers
Thales CPL, a leading market player in cloud and SaaS security, can help both enterprise SaaS users and SaaS application providers address these challenges with Encryption and Key Management solutions that are deployable now.
Learn more about Thales Data Security Solutions for Software as a Service (SaaS) or contact our sales team.
Please stay tuned for the next edition in this “SaaS data security” Blog series, where we will go into further details into the solutions and use-cases that are finding success in the marketplace.