#101 - SaaS Security Posture Management (with Ben Johnson)
CISO Tradecraft® - En podcast af CISO Tradecraft® - Mandage
Special Thanks to our podcast sponsor, Obsidian Security. We are really excited to share today’s show on SaaS Security Posture Management. Please note we have Ben Johnson stopping by the show so please stick around and enjoy. First let’s go back to the basics: Today most companies have already begun their journey to the cloud. If you are in the midst of a cloud transformation, you should ask yourself three important questions: How many clouds are we in? What data are we sending to the cloud to help the business? How do we know the cloud environments we are using are properly configured? Let’s walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event. First let’s look at the first question. How many clouds are we in? It’s pretty common to find organizations still host data in on premises data centers. This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location. Example if you live in Florida you can expect a hurricane. When this happens you might expect the data center to lose power and internet connectivity. Therefore it’s smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event. We can think of our primary data center and our backup data center as an On-Premises cloud. Therefore it’s the first cloud that we encounter. The second cloud we are likely to encounter is external. Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba. Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises. Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment. If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment. Notice the difference between terms. Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers. If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms. Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings. So let’s say your organization uses on premises and AWS but not Azure or GCP. Does that mean you only have two clouds? Probably not. You see there’s one more type of cloud hosted service that you need to understand how to defend. The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don’t hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode. We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event. So let’s look at SaaS Security in more depth. SaaS refers to cloud hosted solutions whereby vendors maintain most everything. They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking. It can be a huge win to run SaaS solutions since it minimizes the need to have IT staff running all of these IT services. Example: Hiring HVAC folks to ensure we have proper heating and cooling for servers on premises won’t add new sales revenue to the business. Now that you understand why SaaS is important you should ask yourself. How many external SaaS providers are we sending sensitive data to? Every co