Challenges with an enforcement-based approach
An enforcement-based approach to security begins with a security policy backed by security controls, often heavy-handed and designed to prevent employees from engaging in risky behaviour or inadvertently expanding the potential attack surface of an organization.
Most organizations exclusively use enforcement-based security controls, usually carried out at the network level with a Cloud Access Security Broker (CASB) or a Security Services Edge (SSE). CASBs secure data between on-premises and cloud architectures, validate authorization rules, and access controls against the company’s security policy. Some organizations also use CASBs to block SaaS applications, but like SSEs, CASBs only support some applications.
The applications these tools don’t support are often the riskiest because they don’t meet common industry and security standards, including SAML for authentication and SCIM for user management. At Cerby, these are called “unmanageable applications,” and according to their research, 61% of SaaS applications are unmanageable. Unmanageable applications are popular, and in a post-COVID world, the rate at which employees buy and deploy them has reached a new height.
Pre-COVID, IT departments were primarily responsible for purchasing and deploying organization-wide applications. The shift to remote work empowered employees across organizations to select their own tools. At the same time, rapid digitization gave them an ever widening selection of tools to choose from, causing a surge in unmanageable applications.
The average user doesn’t typically think about security first. Most people tend to assume applications are secure, and some might not care about security at all. Most users care about user-friendly features, design aesthetics, and convenience. To meet these changing requirements, application vendors altered their product roadmaps; for many of them, security was no longer a top priority.
images from Hacker News