SSPM vs. idP
Security managers typically conduct regular reviews of their solutions and assess whether they need to maintain, enhance, or replace what they currently use. As Software-as-a-Service (SaaS) applications become more prevalent and critical, concerns about SaaS security have grown increasingly urgent. In response, enterprises are considering the adoption of SaaS Security Posture Management (SSPM) tools to mitigate SaaS risk.
In some cases, however, the security team will reject the idea of SSPM because they are already using an identity provider, or idP. Their perspective seems to be, “We don’t need SSPM. We’re good. We have idP.” While understandable, this view is not correct. SSPM and idP are not the same. And, idP alone cannot provide the depth of SaaS security that today’s enterprises need.
A brief overview of SaaS security
SaaS applications have a distinctive risk profile. They’re comparable to but different from other kinds of digital assets. A SaaS app typically contains sensitive or valuable corporate data, but it can be accessed from virtually anywhere on any kind of device. Controls over user access are therefore critical to maintain strong security. Third-party plugins represent a potential threat vector, as well. In addition, each SaaS app—and the average company now uses dozens if not hundreds of them—has its own security settings and unique configuration. The volume and variety of SaaS apps, and their respective configurations create a broad attack surface.
What is an idP?
An idP stores users’ digital identities and enables their management. Sometimes implemented as a commercial solution, sometimes built using open-source components, an idP typically checks user identities using a combination of username/password pairs and other factors, such as a PIN code or device characteristic. An idP may be part of a single sign-on (SSO) solution. It may also be a component of a broader identity and access management (IAM) solution. idPs often work together with multi-factor authentication (MFA) solutions, as well.
idPs verify user identities, a foundational cybersecurity control. Knowing who is who, and confidently authenticating their identities, are essential steps to the effective realization of many other controls. For example, it is impossible to enforce access privileges without being certain of a user’s actual identity. idPs perform this task.
For an idP, a “user” does not necessarily have to be a human being. It could be a device or another software application. The OAuth token, for example, a common ingredient in idPs, authenticates machine users in app-to-app interactions. This capability is relevant to SaaS security because a SaaS app may treat a third-party plugin running in another app as a user.
What is SSPM?
Posture, the “P” in SSPM, refers to the quality of an organization’s preparation to defend its digital assets from cyber threats. This usually means being able to detect threats and respond to them thoroughly and efficiently. Going further, security posture relates to how well an organization is guarding its networks and protecting itself against malware, ransomware, denial of service (DoS) attacks, data breaches and so on.
SSPM brings security posture principles to SaaS. SSPM combines tools, people, processes, and policies to reduce SaaS apps’ inherent cyber risks. For instance, SSPM is aimed at preventing a breach of data stored inside a SaaS app. To accomplish this goal, SSPM tools monitor and remediate insecure SaaS configurations. They detect threats to SaaS apps, while also monitoring third-party integrations and bolstering regulatory compliance, where relevant.
Tracking security issues related to SaaS app users is part of SSPM. For this reason, SSPM solutions generally integrate with IAM solutions. They can monitor user access attempts and behavior to detect activity that might indicate the presence of a threat.
Do you need both an idP and an SSPM solution?
To some extent, the identity functionality of an SSPM solution overlaps with that of an idP. However, the SSPM solution does not have the depth of identity management and security features present in the idP. For example, an SSPM tool cannot enable SSO.
Does this mean you need both an idP and an SSPM solution? You probably do, especially if you want to enforce strict identity authentication policies as part of your SaaS security. An idP on its own does offer some powerful identity management and security capabilities, assuming it’s correctly implemented and managed. However, the idea that “you’re good” for SaaS security if you have an idP, but not an SSPM, is worth rethinking.
An idP cannot analyze SaaS configurations and security settings. It cannot examine third-party plugins, except perhaps to the extent that the plugin is treated as a user. It cannot remediate vulnerabilities. These are what an SSPM solution does. For optimal SaaS security posture, you probably need both.
Conclusion
Keeping control over user identities is essential for SaaS security. That said, an idP is not enough to deliver robust SaaS security posture on its own. An SSPM solution complements the idP, adding automated monitoring, analysis, and remediation of security weaknesses in SaaS configurations, settings, and third-party integrations. Together, idP and SSPM can provide the high level of SaaS security posture that most organizations need to stay secure in today’s threatening cyber environment.
Co-Founder & COO