A New and Critical Layer to Protect Data: SaaS Supply Chain Security

Today, Zscaler added another layer of security to protect customer data with the acquisition of Canonic Security, an innovative startup focusing on a critical new technology space: SaaS Supply Chain Security.

There’s a major gap in your data security strategy

Most organizations have thousands of potential backdoors as employees interconnect third-party applications and browser extensions. It’s no wonder companies are seeing an increase in data loss activity caused by employees. To increase their productivity, employees are unwittingly opening backdoors in SaaS platforms such as Microsoft 365, Google Workspace, Slack, and Salesforce, creating potential risk of data loss and cyberthreats. According to the ThreatLabz Data Protection 2022 Report, 94% of threats reside in these cloud platforms with direct access to sensitive data.

For example, the seemingly benign applications that are utilized daily, such as calendar apps, these calendar apps integrate with Google Calendar used by sales to book external meetings. Other examples are helpful storage apps that integrate with messenger used by marketing to conveniently access and share content or email widgets integrated with browsers to help send and track customer emails.

Some of these applications, like MailChimp and Box plugins, are business-critical and are a part of the SaaS supply chain. Some apps and widgets may not be approved by IT. Regardless, the problem is a lack of visibility into what applications employees are provided access to. Every application that is authorized into your secured SaaS supply chain environment is a potential threat to your organization. For example:

• A third-party calendar app will have direct access to your employees’ meeting content and attachments that may contain sensitive M&A information, financial data, product roadmaps, or sensitive customer information. 
• Applications may have configuration privileges allowing for software injection such as ransomware or credential theft. 
• An application may have been compromised, therefore creating a backdoor for bad actors introducing a myriad of new threat risks. 

SaaS supply chain attacks and vulnerabilities have been overlooked by most organizations. Here is a quick litmus test to assess whether your organization has the proper security measures to counter these threats.

• How many third-party integrations and plugins have your employees enabled?
• What level of privilege do these applications have in your environment? 
• Can you maintain regulatory compliance in your SaaS supply chain? Do these applications have access to your sensitive data? Do they make copies or store your sensitive data?

If you can't answer these questions with certainty, then your organization is at risk—at risk for data breaches and compromising your organization’s ability to protect sensitive data such as intellectual property, personal identifiable information, healthcare information, business, and financial data.

The good news is that protecting against SaaS supply chain attacks is achievable. However, like any security measure, it requires a layered approach. Organizations that have adopted a Secure Service Edge (SSE) or zero trust platform approach are well on their way. 

Preventing threats from SaaS supply chain attacks is only possible with an integrated data protection architecture that provides protection to sensitive data and malware, with integrated SaaS application security and user behavior monitoring. The importance of a layered and integrated approach allows for true analytics and adaptive policy controls that can only be accomplished with strong analytics, AI, and machine learning technology analyzing your environment in real time.

Take, for example, the Zscaler platform approach to protect organizations against sensitive data loss with the addition of an integrated SaaS supply chain security layer.

For organizations to holistically protect their sensitive assets in SaaS platforms, different steps are required:

Securing sensitive data inline in real-time:

Zscaler provides real-time inline inspection for all cloud traffic providing full visibility and policy control for sensitive data going out and blocking against malicious activity and threats with inline traffic monitoring. All ingress and egress traffic is inspected, auto-classified, and inspected for sensitive data and risk with adaptive policies implemented utilizing advanced AI/ML. Zscaler inspects billions of artifacts daily, protecting financial industries, large healthcare providers, governments, and more. These organizations depend on Zscaler daily to protect against sensitive data leaving their organizations. 

Read more: Zscaler's cloud-delivered enterprise data loss security solutions

Securing collaboration with OOB CASB:

When users are sharing sensitive assets with external links and external collaborators, IT needs to have proper visibility and enforce appropriate policies to ensure organizations’ sensitive data is not exposed. This is where Zscaler has API integrations with out-of-band Cloud Access Security Broker (CASB). Zscaler CASB is integrated directly within SaaS platforms monitoring user behavior, inspecting files for sensitive data being created and shared between SaaS applications, preventing malware and blocking potential malicious user activity. 

Protecting against misconfigurations with SaaS Security Posture Management (SSPM):

Furthermore, organizations can maintain SaaS configuration policies and protect against misconfigurations through posture management. This helps organizations to protect against human error that happens during routine configuration changes and to ensure new applications maintain consistent policies. For example, ensuring an admin doesn’t accidentally turn off multi-factor authentication or allow link sharing outside the organization. SaaS Security Posture Management automatically resets misconfigurations to adhere to company policies. 

Read more: the Zscaler CASB and SSPM solution

Integrating SaaS supply chain security:

Zscaler new supply chain security capabilities will be integrated into its data protection services, strengthening its CASB and SSPM solutions by enabling companies to consolidate point products, increasing security posture, and preventing malicious applications from injecting malicious software or exfiltrating sensitive data with the following functionality:

• Discover and Assess M Party Apps and Extensions: Gain full visibility over first, second-, and third-party apps and API integrations across the enterprise business application estate. Uncover rogue and vulnerable apps and assess each integration posture, behavior, and the risk involved with its API access and browser extensions.
• Reduce Attack Surface: Quarantine suspicious apps, reduce excessive and inappropriate privileges, revoke, and block access if necessary.
• Enforce Access Governance: Enable app integrations by automating app-vetting and app access recertification processes.

Learn more about Canonic Security and SaaS supply chain security here.

SaaS security inherently requires an integrated platform approach:

A layered approach is crucial to protecting the SaaS supply chain. Standalone DLP, CASB, and SSPM tools require a massive amount of resources to configure, maintain and manage, which can be costly and take in months to implement inrun putting organizations at risk. Concurrently, the lack of automated workflows prevents security teams from managing critical risks leading to elongated mitigation timelines and unresolved incidents. To make matters worse, the reliance on separate point products causes increased risk, reduced visibility, and inconsistent policies. SaaS platforms today host companies' crown jewels and most sensitive data which are fully distributed in the cloud. Organizations need to consider a fully integrated platform that addresses data security at all times for all channels.