3 Steps to Secure SaaS Apps in the GenAI Age

29 May 3 Steps to Secure SaaS Apps in the GenAI Age

Here’s how security teams can ensure the safe usage of GenAI.

– Hananel Livneh, Head of Product Marketing, Adaptive Shield

Tel Aviv, Israel – May 29, 2024

Generative AI applications are today’s go-to tool to boost enterprise productivity. Here to stay, the GenAI revolution is sweeping the SaaS industry as providers rush to infuse SaaS apps with premium GenAI tools.

Gartner Inc.’s new survey reports that GenAI is now the No. 1 type of AI solution deployed in organizations.

The benefits of GenAI technology are vast, making it far easier and faster for enterprise teams to create company assets in the content-demanding digital world.

This advancement does not come without new risks, however. In fact, cloud-based GenAI functionalities are expanding the cyberattack surface. New exposure includes risk of leakage of IP, sensitive data, confidential customer data, and threats from deep fakes by cybercriminals using stolen information for phishing scams or identity theft.

GenAI works on data clouds, using content introduced into the system as training data, or by retrieving data from a private data lake to generate relevant and contextual materials. In apps like Microsoft Copilot, for example, there is potential for data leakage if corporate data is not properly locked down.

For cybersecurity teams securing SaaS applications, GenAI is therefore creating much more work.

Learn how to kickstart SaaS security for the GenAI age

The good news is that there are ways to reduce the risks and use GenAI safely. Here are three steps for security teams to ensure the safe usage of GenAI in an organization.

1. Discover GenAI apps adopted by users

When ChatGPT was released a year and a half ago, its impact was instantaneous. Like all technological revolutions, its rapid adoption caused an abrupt change. Its power caught most by surprise; CISOs and security teams were not prepared for this new risk and are now playing catch-up.

According to a recent Salesforce survey, more than half of GenAI adopters use unapproved tools at work.  The research found that a lack of clearly defined policies in the use of GenAI may be putting businesses at risk.

Security teams need to be able to see which SaaS apps with GenAI tools are in use in the organization and who is using them. Discovery of third-party connected shadow apps can also identify apps using GenAI, including those that could be malicious.

2. Assess risk of GenAI apps

Organizations are embracing GenAI across departments, including software development, HR, marketing, sales, and legal. Popular apps include ChatGPT, Google Gemini, GitHub Copilot, Salesforce Einstein Copilot, and Microsoft 365 Copilot.

A recent PWC report found that more than half of the companies surveyed (54 percent) have implemented GenAI in some areas of their business.  However, not all apps carry the same risks. Some are more problematic, such as Microsoft 365 Copilot whose usage was banned by the U.S. Congress due to concern for possible leakage of sensitive data.

To manage the stack of GenAI apps for risk exposure, security teams should determine the security posture of each app in regard to GenAI. Those with heightened risk levels can be pinpointed for closer control and monitoring as security teams prioritize their efforts. For third-party apps, it’s also important to monitor permission scopes.

3. Manage GenAI configurations in SaaS applications

SaaS providers have reshaped the workforce with cloud-based applications, empowering teams with the ability to easily collaborate, work remotely, and improve productivity. The apps are built with extensive security features to ensure safe use of the cloud-based software. But responsibility for properly setting the configurations, according to the needs of the user falls on the organization. Now, with the arrival of GenAI, automated misconfiguration management is shaping up to be a critical security necessity.

Controlling GenAI-related security settings within SaaS applications can help prevent data leakage or exposure. Configuration management also enables security teams to identify excessive user access and which users possess permissions to manage GenAI features. After getting a full view of the app, security teams can scrutinize permissions and access. Monitoring configurations also enables teams to keep track and stay ahead of configuration drifts if settings change and confidential data becomes exposed.

Getting on top of the emerging GenAI risks

AI potentially accesses sensitive data in a more sophisticated and comprehensive manner than traditional methods. The ability of AI to analyze and correlate information from multiple sources can lead to more extensive data exposure.

Governance to maintain data silos and control company resource sharing ensures the proper access and use of sensitive and proprietary data to avoid data leakage.

The U.S. government recently ordered all its agencies to appoint chief AI officers (CAIOs) to lead AI governance and innovation while managing AI risks.

With the rapid adoption of GenAI creating new risk, it’s important to set company policies. However, a key foundation of SaaS is the democratization of security that splits the ownership of SaaS security between security teams and app owners.

In light of this shared ownership, security teams must therefore acquire the right capabilities to get visibility into GenAI risks, such as those enabled by SaaS Security Posture Management (SSPM), so they can closely monitor and control the use of GenAI. In this way, security teams can also educate app owners and teams on potential cyber threats and data leakage risks and lead an organization to harness the power of GenAI.

Learn how to improve your SaaS security posture and mitigate GenAI risk

Hananel Livneh is Head of Product Marketing at Adaptive Shield. He joined Adaptive Shield from Vdoo, an embedded cybersecurity company, where he was a Senior Product Analyst. Hananel completed an MBA with honors from the OUI, and has a BA from Hebrew University in Economics, Political Science and Philosophy (PPE). Oh, and he loves mountain climbing.

---