According to a recent McKinsey survey, which polled CISOs and other cybersecurity professionals from more than 60 companies of varying size in a range of industries, companies do not feel comfortable with trusting the management of keys solely in the hands of native SaaS providers’ solutions.
Companies are rapidly adopting software as a service (SaaS) instead of purchasing on-premises commercial off-the-shelf (COTS) software. Companies rely on SaaS providers to host their applications in the cloud instead of running them in their own data centers. Industry analysts estimate that the SaaS market will grow by more than 20 percent annually, reaching nearly $200 billion by 2024.
Adopting SaaS services means that eventually companies will face the cybersecurity risks inherent in a cloud approach. These are different risks from those experienced in on-premises installations, where the customer installs the software, configures it, and takes full responsibility for running it in a secure infrastructure. In cloud environments, the providers share security responsibility with their customers.
The goal of the survey was to understand how companies experienced SaaS offerings and how they responded to security challenges. Almost universally, respondents said they have increased their focus on security for SaaS offerings, emphasizing capabilities at the intersection of the vendor’s and their own security environments. In fact, about half of the companies had used products from 20 or fewer SaaS vendors, and about a quarter from more than 80. Almost all companies surveyed were deploying SaaS offerings in at least one major area, especially office automation, IT-service management and business applications.
What is worth noting is that a big percentile of survey respondents expressed a fair amount of frustration with shortcomings in vendors’ cybersecurity capabilities. According to the survey findings, companies do not feel entirely comfortable with the indirect relationship to cybersecurity risk that SaaS presents, mediated through native vendor protections. More important, SaaS vendors have not always ensured that their products meet their customers’ security requirements.
Security executives tend to focus on four key issues when confronting SaaS capabilities: encryption and key management, identity and access management (IAM), security monitoring, and incident response. It is notable that each of these issues has more to do with the interface between the customer and the SaaS provider than with the providers’ intrinsic technical protections, such as code security and endpoint protection.
In the CISOs’ view, SaaS vendors need to take a much more customer-centric approach to security, making it easier to understand their products’ security capabilities, easier to integrate them with the rest of the enterprise-security environment, and easier to configure them in a secure and compliant way.
Traditional perimeter-based security practices cannot be used to protect applications running or data stored in the cloud. Without a perimeter, SaaS relies on machine identities to secure each transaction. Security becomes crucially reliant upon encryption and management of the keys that comprise machine identities to provide access to encrypted data or authenticate machines.
As the McKinsey survey revealed, encryption remains a huge challenge, especially for the cloud and SaaS. Most large companies do not entrust SaaS providers to host and manage their security keys. While it is tempting to use cloud native encryption and key management services because it’s simple and easily available, this decision comes with many challenges.
One issue is that many cloud native encryption and key management services provide only basic data security. Cloud services need to afford the same level of policy, control and visibility as the on-premise delivered services. The certificate management tools built into the SaaS platforms are very good and easy at provisioning certificates for the development teams, but when it comes to policy compliance there are many gaps that may jeopardize a company’s certificate management strategy.
Furthermore, leaving key control and management to cloud providers presents potential security risks and data ownership issues. It is not a good idea to get locked into a single cloud vendor. Cloud computing has revolutionized the ways that companies do business. However, this increased reliance on cloud computing also comes with the risk of dependency. By making your company more flexible and adaptable, being cloud agnostic inoculates against the risk of vendor lock-in.
From an operational standpoint, the use of multiple cloud key management services translates to decentralized key management, which is a definite “no-go” when it comes to security best practices. Unfortunately, this rush to cloud native encryption and key management has put sensitive data at risk as evidenced by the multitude of data breaches we have witnessed over the past couple of years.
As SaaS adoption continues to grow, the problem of managing certificates will get even bigger because of the exponential growth of the machine identities that companies have to manage. Businesses are recognizing the severity and the magnitude of the problem and, as a result, 56% of the survey respondents indicated that they would like the SaaS vendors to offer better encryption and key management options, including self-management, vendor-to-customer management or hybrid.
Rather than trusting native SaaS vendors solutions to manage and protect machine identities, many companies with a high SaaS adoption rate prefer to hold and manage their keys on premises through a certificate management solution like the one offered by Venafi. This approach allows companies to implement certificate management services that are consistent with their enterprise-wide security policies and, therefore, assume full responsibility of the certificates security. Without a proper solution for protecting and managing these machine identities, SaaS solutions may risk vulnerability or compromise.
The survey further revealed that companies want a degree of sophistication in key management so that they can grant access to data for a certain period of time or revoke access quickly. This preference again emphasizes that most respondents want to exercise full control over their machine identities.
SaaS vendors’ baseline treatment of security capabilities is shaping the ways enterprise customers use SaaS products. In fact, security remains a major concern. Many businesses decide to invest in specialized third-party tools to manage encryption keys, ensure compliance with corporate policies, analyze vulnerabilities, and enhance encryption. They do this because they weren’t entirely comfortable with the security provisions of the SaaS offering.
If you want to avoid cloud vendor lock-in and reap the benefits of a cloud agnostic solution, Venafi has the perfect solution for your certificate management service with integrations with all major cloud providers. VIA Venafi roadmap can help you build, maintain and scale a solution to eliminate certificate outages across your enterprise.