I'm a little skeptical about the “70% of organisations have a dedicated SaaS security teams”. too, but I'm a big believer in the value of supply chain risk assessments, and tailoring these appropriately when the vendor provides a SaaS product or service.
Yes, 70% seems far fetched. What kind of risk assessment would you generally recommend for organisations that have a subscription service to Google Workspace or Microsoft 365? It's mostly a risk that you highlight and accept, I guess.
I think even with those big entities we still need to thoroughly review the elements of their security that are most relevant to our environment. That might be their privacy policies, data retention, SLA for reporting a data breach, or something else. And of course with any cloud service we need to be sure that "our side" of the shared responsibility is fully understood. The cloud service providers typically provide the tools to keep the cloud environment secure (for example in Identity and Access Management), but our IT or Cyber or both teams have to make use of those tools to lock things down properly.
I think there are two key aspects here. First, the aspect of risk. What kind of risks am I expecting if there is a breach on the SaaS providers' end? If the risk is unacceptable, its best to consider other options, irrespective of the controls at the SaaS providers end. Second, what you mention about knowing the shared responsibility. I would prepare my own version of the responsibility matrix for critical SaaS services and ensure that I have implemented controls that I need to. If my SaaS allows 2FA, I ensure that I have enabled it for all users.
I'm a little skeptical about the “70% of organisations have a dedicated SaaS security teams”. too, but I'm a big believer in the value of supply chain risk assessments, and tailoring these appropriately when the vendor provides a SaaS product or service.
Yes, 70% seems far fetched. What kind of risk assessment would you generally recommend for organisations that have a subscription service to Google Workspace or Microsoft 365? It's mostly a risk that you highlight and accept, I guess.
I think even with those big entities we still need to thoroughly review the elements of their security that are most relevant to our environment. That might be their privacy policies, data retention, SLA for reporting a data breach, or something else. And of course with any cloud service we need to be sure that "our side" of the shared responsibility is fully understood. The cloud service providers typically provide the tools to keep the cloud environment secure (for example in Identity and Access Management), but our IT or Cyber or both teams have to make use of those tools to lock things down properly.
How about you - what are your best tips?
I think there are two key aspects here. First, the aspect of risk. What kind of risks am I expecting if there is a breach on the SaaS providers' end? If the risk is unacceptable, its best to consider other options, irrespective of the controls at the SaaS providers end. Second, what you mention about knowing the shared responsibility. I would prepare my own version of the responsibility matrix for critical SaaS services and ensure that I have implemented controls that I need to. If my SaaS allows 2FA, I ensure that I have enabled it for all users.
Oh yeah, the risk piece is the most essential piece. Well said