Enforcing Access Privileges for SaaS: Part 3 of Compliance Essentials in the SaaS Era

In the first part of our month-long series on compliance essentials, we looked at content scanning. And then in our second part, we looked at audit logs for compliance. Here in our third part, we discuss SaaS access control. Specifically, we talk about best practices around enforcing access privileges and how BetterCloud helps IT and SaaSOps teams.

Why care about SaaS access privileges

Controlling risk and staying in compliance means controlling which users access what resources.

But in reality, managing SaaS access privileges is harder said than done. There’s no easy way to track privileges across apps, and many of the less mature apps offer little in the way of granular access roles.

Depending on the job to be done, all too often, a user’s access levels must increase—and IT has no choice but to assign super admin privileges.

And then it begins. Privileges are never revoked after the job is done. Admins beget admins. Managers might invite others and make them admins too.

Before you know it, admin rights are handed out like candy, with no oversight. And the admin sprawl creeps and grows unseen—jeopardizing your organization’s security and compliance success.

So it’s time for a new way.

Setting and enforcing access privileges

SaaSOps professionals need to replace blanket policies for all users and documents with a comprehensive, granular view of users and the data and applications they access.

A granular security policy does two important things for your compliance program:

1. Allows you to make your compliance programs more effective. In compliance, there’s such a thing as “design effectiveness,” which exceeds that binary question of “Does this process comply: Yes or no?” Compliance design effectiveness measures how well your program meets compliance objectives. Granular policies and controls around access privileges—that are set according to roles, departments, or titles—allow your compliance program to improve how well it complies, thereby making it more effective.
2. Can allow you to meet requirements of higher levels of compliance certifications. For example, it might help you comply with Level 2 requirements, instead of just Level 1.

So let’s get started!

Define SaaS app access privileges

Before you can enforce your granular security policy, you need to set roles and permissions for access. You’ll need to do this for both users and super admins, too.

If you’re concerned about successful compliance, you’re very likely following the least privilege model. As a refresher, least privilege is a proven security design principle that is a standard part of any security policy and hence compliance program.

Enforce access privileges

1. Maintain all accounts with least privilege. Set all new SaaS app access privileges as low as possible. Grant higher-level permissions as needed for the job.

Remember that compliance requires a documented process, so an organization could take the following actions:

• Use your SaaS apps’ built-in access rules or admin privileges to keep permissions to those required to do the job. Separate standard accounts from admin accounts, and higher level system functions from lower ones, even if it means that super admins must perform tasks as a user in separate user accounts.
• Instruct end users to request access changes via a ticketing system or an app like Google Forms.
• Review app access requests from end users.
• Compare requests to what’s documented in your security policy.
• Reject or change access level requests accordingly. If privileges are to be raised, use expiring privileges and one-time-use credentials to keep access to only when needed. If privileges are to be revoked due to user departure, suspend it within three hours of the departure notification.

2. Track access changes. At a minimum, keep track of user IDs, one-time passwords, offboarded users, and dates of changes to make it easier to track changes and limit risk.

3. Do regular audits. Regularly monitor all user and super admin permissions in all SaaS apps to prevent unchecked access accumulation and the risks they present.

How BetterCloud helps

BetterCloud simplifies SaaS security compliance in how it sets up and manages access privileges. You start with setting up user roles, and granular permissions (e.g., create, edit, delete, view) can be added or elevated for any SaaS app using a centralized view of all users.

You can also easily automate access privileges. For instance, a BetterCloud workflow can automate the process of revoking super admin access from users when you exceed your set limit.

Here’s an example. Let’s say your security policy only allows a maximum of four super admins per app. If someone gives super admin access to a fifth person, the system alerts you.

When that alert occurs, it triggers a workflow that automatically cuts super admin access. Once the privileges are revoked, the primary IT admin is notified via Slack. This way, you always adhere to your security policy and stay in compliance.

The best part? BetterCloud reports and audit logs prove it. So with BetterCloud, it’s easy to enforce access privileges and audit logs with operational data prove that you follow your security policy—thus simplifying compliance with SaaS operations.