A Comprehensive Guide to Cloud Security Posture Management

RevCult is now OwnBackup Secure! In 2021, OwnBackup acquired RevCult, enhancing the cloud data protection platform with proactive data security. With OwnBackup Secure, you will strengthen security posture by understanding data exposure risks and proactively taking action to protect and secure your data -- all within Salesforce.

Just a few short decades ago, cloud computing was the stuff of science fiction. Now, very few organizations of any size are operating without some kind of cloud services, and most are looking to eliminate legacy data storage systems and replace them with cloud solutions wherever possible. According to Right Scale’s 2019 State of the Cloud Report, 94% of enterprises were using the cloud, and Gartner research shows that almost 70% of organizations in the cloud in 2020 were planning to increase their investment in that area.

The oft-cited advantages of agility and scalability have certainly driven the cloud’s growth over the years, but its rise has also coincided with an easing of security concerns. Particularly for organizations in highly regulated industries that use and store sensitive data, security was one of the biggest barriers to cloud adoption for years, but many of the most common perceived risks have largely been debunked.

• Overcoming Security Concerns

• Challenges in Security Posture Management

• PaaS and PSPM

On-premise data storage used to be thought of as the gold standard for security, but that perception has all but disappeared. Finding and paying a team of full-time security experts is a tall order for any organization, and even Fortune 500 companies would struggle to keep up with the security investment that cloud providers like Amazon and Microsoft can bring to bear.

On-premise legacy systems also tend to rely more on manual processes, whether it’s keeping software updated or swapping out old hardware for newer models. These needs introduce the capacity for human error, and on-premise systems can’t offer anything close to the redundancy of public cloud providers.

For these and other reasons, the modern cloud is often a security upgrade for the organizations that embrace it, and data from the Office 365 arm of Microsoft indicates that 94% of SMBs see security improvements after a cloud migration. What’s more, when breaches and data loss do occur, providers are

>> Know which fields can be encrypted & why some can’t? Get the Shield Platform Encryption Checklist HERE

almost never the ones to blame for the incident, and data from Gartner suggests that 99% of cloud security failures through 2025 will be the customer’s fault.

Why such a disparity? For most organizations, there’s a lack of understanding of the shared-responsibility security model. A survey of 550 IT leaders by Barracuda Networks found that 64% of IT leaders believe that their public IaaS provider is the one responsible for the security of customer data contained within the cloud. This pervasive notion is false, and combined with a large and growing number of interconnected cloud solutions, most organizations are finding it incredibly difficult to properly shore up security.

In 2010, the global SaaS market amounted to $13.4 billion, and that market consisted of far fewer options. Fast forward to 2020, when data from CardConnect suggested there were some 15,529 SaaS companies around the globe worth upwards of $155 billion, and the problem begins to take shape. Cloud infrastructure is always in flux, and as newer, more capable solutions emerge, organizations will eliminate one subscription in favor of another.

The ease of adding or switching to a new SaaS solution is part of the cloud’s appeal, but it can also add quite a bit of complexity. A small firm with fewer than 50 employees will use an average of 25 to 50 SaaS solutions, according to BMC. Tools like Slack, Zoom, HubSpot, and Jira are just the tip of the iceberg. Increase the size of the organization to 250+ employees, and you can expect the number of SaaS applications to more than double. Add in SurveyMonkey, Asana, Adobe, and many more. And those 137 unique apps used in the average enterprise? They’re constantly changing. Research from Blissfully aimed at companies with 101 to 200 employees illustrates that 42% of an organization’s SaaS stack turns over every two years and that the average company has three orphaned subscriptions and four duplicates.

Each of these solutions will have its own security quirks to manage and varying types and quantities of data contained within them. Even individual pieces of software are altered and updated constantly, and this kind of continuous evolution demands continuous attention to security. If an organization doesn’t even realize that it has two subscriptions for the same app, you can hardly assume that both of them will have all the security configuration needs met. Ultimately, it’s these misconfigurations that pose the biggest threat, and data from Gartner demonstrates that they’ll represent 99% of cloud security shortcomings by 2023. Salesforce, for example, has created a solution with robust security measures characteristic of a Fortune 100 software giant, but that doesn’t mean the company can force your organization to use them.

Many of our clients consider Salesforce a SaaS company, but we put them more into the platform-as-a-service (PaaS) category. Salesforce is often a business’s first step toward cloud computing, but you can expect the huge number of capabilities included in the software to quickly extend across many different departments in your organization. Salesforce revenue was at $5.37 billion back in 2015, when the company had more than 150,000 customers. Today, revenue has reached $21.25 billion, which means Salesforce implementations are incredibly common, and they’re a great starting point to improve your overall platform security posture management (PSPM).

There are a few key steps you’ll want to take to shore up PSPM, which we’ve outlined below. These steps mention Salesforce specifically because that’s our primary area of expertise, but they can nonetheless apply to a broad range of different PaaS solutions. No matter what platform you rely on, it’s vital to strengthen your security strategy with the following five steps.

1. Audit your security needs
   
   Depending on the size of your organization and your unique needs, you might rely on SaaS, PaaS, and even infrastructure-as-a-service (IaaS) products to keep your business running smoothly. Each of these cloud environments will come with its own security requirements, and a complete PSPM strategy will incorporate all of them. Particularly when you’re using a tool like Salesforce that becomes more deeply embedded in your organization over time, you’ll want to regularly revisit and reassess your PSPM to ensure you’re taking into account new use cases and data requirements. Start by taking stock of your existing security posture and identifying what data you need to be protecting. If you don’t know something exists, it will be nearly impossible to secure it. It’s a twofold exercise: You have to know what data sits on a cloud platform and which platforms that data occupies. Knowing what data is being used and where compounds the risk and the effort to secure it, and that’s the fundamental work that has to be done before you can secure data.

2. Protect against internal breaches
   
   Even in a smaller organization where your colleagues feel like family, internal breaches are perhaps your greatest risk — and a disgruntled employee is far from the only threat. Employees lose their cloud-enabled devices, reuse the same password across multiple accounts, and generally create security risks that it’s your job to mitigate. One of the best ways you can protect your organization is by implementing the principle of least privilege access, which limits employee access to data that they need in order to perform their jobs (and nothing more). When employee privileges are limited, that lost or stolen laptop will pose a much smaller threat than it might if it included access to your company’s (or your customer’s) most sensitive data.

3. Identify key stakeholders
   
   At the most fundamental level, even before identifying security stakeholders and tapping responsible parties, organizations must accept who isn’t responsible for security — the cloud providers. Circulating information about the shared-responsibility model and educating your employees is the first step toward shoring up your PSPM, and only then should you begin to identify who will spearhead new security initiatives. Clearly defined responsibilities are crucial, so remove ambiguity and uncertainty whenever possible. Make sure security stakeholders understand that PSPM is about ongoing processes and continuous improvement and not a finish line where the work is complete. Establish a cloud center of excellence (COE) to ensure that the business looks at all its cloud solutions holistically, from lenses representing different departments of the business. A robust COE will also help protect the cloud security progress you make when employees retire or move on to new opportunities within the organization or outside it.

4. Look to regulators for guidance
   
   Members of the healthcare or financial industries will know all about the strict regulations that accompany legislation such as the European Union’s General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA). Don’t do business in Europe or interact with healthcare information? States in the U.S. including California and Maine have passed their own sweeping rules concerning data privacy, and at least 15 others are introducing bills that look to accomplish the same thing as broader legislation. Achieving regulatory compliance can be a long and difficult process, but these rules are established to protect businesses and consumers, and regulatory bodies will frequently offer valuable guidance. Look to these groups to help identify vulnerabilities in your security posture and follow established best practices to mitigate them.

5. Incorporate automation wherever possible
   
   Any mission-critical PaaS application will include a host of security settings governing everything from user privileges to data storage locations to guidelines about the frequency and timing of updates. Multiply all the possible settings with dozens or even upwards of 100 applications that constantly change, and it’s obvious that manual processes are an unsustainable way to manage security. An automated approach, on the other hand, can help ease the significant configuration burden while also ensuring consistency across a wide variety of applications throughout the organization. As an added benefit, when automated tools are themselves properly configured, it removes the potential for human error that could expose large amounts of vital organizational data.

Salesforce is unique in its flexibility, and the same trait that makes it a powerful tool can also increase security risks if you’re not mindful of how the solution is being used. In many organizations, Salesforce is a black box, which is why RevCult’s Cloud Security Cockpit® was designed to offer a single-pane-of-glass view into Salesforce security configurations, as you get visibility into your security posture along with the tooling that enables you to both find and fix security issues.

This kind of command center is vital to help your company implement security controls in hours instead of weeks. With rapid and accurate security configurations, you can prevent the interruption of crucial development cycles and make ongoing management and compliance reporting a breeze.

For more information about Cloud Security Cockpit® or to start a free trial, visit us at https://revcult.com/product/products-cloud-security-cockpit/.

Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.