Intelligent CIO North America Issue 22 - Page 45

CIO OPINION monitored ; review of the tenant environment , whereby the software and its supporting infrastructure is dedicated to a single or multiple customers ; along with granular settings such as IP-based sessions and cookie lifespan . practices ; confirming that they are long and complex enough and are not being reused across accounts . It also means losing visibility into user behavior to detect anomalies that suggest account compromise , or if data is being exfiltrated from one of the SaaS products .
More importantly , however , is the implementation of SAML ( Security Assertion Markup Language ) capabilities often leveraged to execute Single Sign-on ( SSO ) authentication . If anything should be prioritized , it is this .
Through SSO alone , businesses can substantially reduce risk because you only have to rely on this one provider to grant IP-based controls , strong multifactor authentication ( MFA ) and a lot of the logging required . Moreover , it encompasses a multitude of applications that may not have such controls natively built into their own service .
The importance of implementing a modern security policy
Whatever the case , either your third-party providers must maintain assurances that this security baseline is being met or you need to take matters into your own hands . Failing to do so , or making exceptions , essentially means relinquishing control of one ’ s security posture ; thus , opening the company up to significant risk .
Although this may seem rudimentary , in my experience , even the largest , most equipped enterprises fail to conduct the necessary checks .
In addition to being the CIO of KnowBe4 , I work extensively with security pentesting companies as a contractor , testing hundreds of companies including those within the Fortune 500 .
My job is to identify weaknesses and infiltrate the organization ’ s network or services without being discovered . Frequently , we will find a gap because the company in question has not verified that security controls are in place on at least one of the many SaaS tools in use .
This allows the team and I to gain access and add our own MFA . In other words , we no longer need to social engineer a user or have them log in to the system . Instead , we create our own backdoor . Due to the lack of visibility , we can generally do so undetected as no one would pick up on the use of a new IP address .
A case for exceptions ?
For instance , without SSO enabled , one loses the ability to reinforce compliance with password best
That ’ s not to say that there are no plausible exceptions . Not all software providers are going to meet all of
www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 45