Palo Alto Networks’ Journey to Securing Critical SaaS Apps

By Sam Chehab

4 min read

Let’s take a look at a problem domain that’s existed for a long time—Software-as-a-Service (SaaS) applications fly into your environment from all directions due to their ability to be easily deployed and adopted. Typically, SaaS apps face limited approvals while offering short time-to-value. The misconfiguration or security risk could be caused by SaaS apps that are procured via personal expense reports, freemium versions, or the traditional enterprise procurement path. However, you typically only learn about these issues in your SaaS application during a SOC incident, a red team exercise, or when an employee bumps into a network control (i.e., “I want my Cloud Atlassian instance to talk to an on-premise server!”). In this blog post, I will discuss Palo Alto Networks’ journey to securing its posture and adopting one of our own emerging products.

What is SaaS Security Posture Management?

SSPM is a platform for identifying, remediating, and monitoring the security posture of an organization’s SaaS environments using a cloud-based software solution. This allows us to continuously monitor our security posture, identify vulnerabilities and misconfigurations, and take action to resolve risks.

For Palo Alto Networks, this meant initially leveraging our identity provider to build our inventory so we could understand our exposure. Given that there are strong processes around application enrollment, we quickly arrived at roughly 500 SaaS applications and started to devise a plan for how to tackle the inventory by prioritizing application criticality.

How does SaaS Security Posture Management provide value?

  1. Consolidated view of health: Now there is no longer a question about whether MFA policies are enforced or the current security posture of the entire portfolio. In addition, improving our security hygiene allowed us to discover features we did not even know existed. For example, because of the size of our SaaS portfolio, we immediately identified that Slack Pin/FaceID was not turned on which created a risk for our BYOD users, and addressed it immediately by enabling this feature.

  2. Eliminates configuration drift: Historically, the challenge we had was the moment a setting was properly configured, a well-intended individual would revert the change due to an operational issue it caused. This security regression—without the security team’s knowledge—created unintended consequences. Now that it is tool-enforced, it resets the change until InfoSec and IT are aligned.
  3. Incredible efficiency: For Palo Alto Networks, this means instead of scaling the number of security engineers, we started working in machine time for assessment, and—to a lesser degree—for remediation. We eliminated application-testing notes, scripts, and more for a repeatable suite of configuration checks with opinionated guidance on remediation that could be executed with one click. The net result is our SaaS assessments, usually requiring 40 hours worth of effort, were reduced to roughly seven hours (82.5% improvement). This means a full program assessment (500 applications x 40 hours of effort per application would be reduced from 6.8 years to just over one year.

How to get started

  1. Find a way to identify your SaaS assets with application owners as you will need them to help your security team onboard them to the platform and provide insights into certain findings.

  2. Evaluate solutions with the following capabilities:

    a. Assess your application inventory as it will influence breadth (number of applications covered) as well as depth (number of sophisticated settings validated). They are both important, but your SaaS portfolio will put it into context when tradeoffs inevitably present themselves. As an example, if you have a third party administering Google Suite you may have fewer concerns than a self-managed Salesforce platform where administration is a part-time activity of a developer.

    b. Auto-remediation: With just one button, the security issue should be resolved. The conventional approach of following 20 steps to address an issue means it will never get done.

    c. Enforce settings’ values: You must have operational awareness to ensure there is no configuration drift. Think configuration management (i.e. Ansible for SaaS).

Conclusion

In conclusion, SaaS Security Posture Management provides value to organizations by improving visibility, reducing risk, and increasing auditing efficiency. Getting started with SSPM is easy—identify your requirements, assess solutions with focused outcomes, and align the business units and IT to drive remediation during implementation. By prioritizing security posture, organizations can better protect themselves from misconfigurations or overlooked security features within SaaS platforms.

To learn more about Palo Alto Networks’ SSPM solution, check out these resources or click here: