FAQ: SaaS Security Posture Management (SSPM)

What is SaaS Security Posture Management (SSPM)?

SaaS Security Posture Management (SSPM) is a category of products that continuously evaluate, measure, and help remediate risks in a SaaS application.  SSPM has become important as companies continue to adopt SaaS, and it becomes a more common attack vector.  When monitoring SaaS applications, these products identify risks such as misconfigurations, dormant user accounts, compliance risks, and privileges based on user profiles.  SSPM products focus on specific SaaS application such as Salesforce, Slack, or Office365. 

How does SSPM products work?

SSPM products can integrate directly with SaaS apps to assess and monitor the following:

·  User permission settings: SSPM products can identify users and detect dormant or unused accounts.  Additional telemetry such as authentication method, frequency, and role assessments can also be provided.

·  Configuration issues: SSPM products look for configuration issues that may expose sensitive data.  Configurations are constantly monitored to ensure that changes follow compliance policies.

·  Compliance: SSPM products evaluate a SaaS application’s security posture to help companies understand if any data security or privacy laws have been violated.  Automated compliance checks are done against industry standards, company policies, and best practices. 

Do SSPM products secure every SaaS app?

The short answer is no.  Many SSPM product companies market themselves as providing a complete control and visibility of all their SaaS apps.  However, there is a big caveat to this statement—SSPM products only work with the apps with which they have integrated.  In addition, the level of integration depends on the APIs available from the SaaS app.  Most SSPM products integrate with most primary enterprise apps such as Salesforce, Office 365, and Slack, which are used by most companies.  But even small companies may use 100 or more apps, and SSPM products will likely not integrate with most of them. 

Do I need an SSPM solution?

SSPM products are an important part of a SaaS security program.  However, it is not sufficient to secure all of a company’s SaaS estate.  Monitoring and reviewing SaaS app security can be done manually, but many have hundreds of configurations with user accounts being created or closed constantly, making it impossible to do manually.  Similar to how endpoint detection and response products help security teams monitor, investigate, and remediate threats targeted to endpoints, SSPM products serve a similar function for SaaS apps.   

How do SSPM products discover SaaS apps?

SSPM products do not discover SaaS apps on their own.  They can discover users, SaaS-to-SaaS apps, and device access.  They cannot discover and provide security teams a complete inventory of all the SaaS apps being used in a company.  Because SSPM products rely on API integrations with SaaS apps, they will need to be turned on individually and authorized by the security team.  Beyond the obvious core enterprise apps such as email, collaboration, or CRM apps, security teams will need to select and add additional apps to the SSPM product—assuming the SSPM vendor has completed the integration.  

Do SSPM products provide access control for my users?

SSPM can provide user and device access control for those apps with which they are integrated.  If the SaaS app provides the appropriate APIs, the controls can be very granular and provide functions such as user discovery, user classification, guest status, privileged users, and user visibility (user information from internal systems and organization charts).  Access control for all apps will not be equal, however, and it depends on the types of APIs available from the app and whether the SSPM product has built the integration to those APIs.  The challenge for companies is that they usually deal with hundreds of apps, and SSPM products cannot help security teams monitor or control access to those.  These are often left to secure web gateway (SWG or proxy) products or cloud access security broker (CASB) products, which are incomplete and do not scale for the volume of SaaS companies use today. 

How can I get the most value from an SSPM solution?

The first step is to conduct a comprehensive inventory of all the SaaS apps being used in a company. The apps should then be prioritized from a risk perspective that factors in data such as number of users, type of data used, growth in users, authentication method.  Once this has been completed, SSPM solutions that support the highest number of apps can be selected, but this number will still be only a small fraction of the total number of SaaS apps used in the company. 

Grip Security provides a SaaS Security Control Platform (SSCP) solution that helps companies discover, prioritize, secure, and orchestrate SaaS security across the enterprise.  The discovery method Grip uses can discover 5X more SaaS apps than other leading solutions on the market.  The Grip SSCP can also control access to the hundreds of SaaS apps that SSPM cannot, resulting in a more complete access control solution.  The SSCP solution can help companies realize the most value from an SSPM product and secure the apps that the SSPM product cannot secure.   

For a demonstration of the Grip SSCP or a free SaaS risk assessment, talk to a SaaS security expert today.