SaaS API Security and Management – Impact of Cloud Access Security Brokers (CASB)

[This is a mildly technical post, intended for product audiences]

So your firm launched an app for tracking stock market data in different countries, and it has received a lot of traction (downloads, usage and other metrics). After a while, the app has done really well, and now your business is expanding to cover more and more use cases. This is also important for monetizing your app.

However, a key use case identified by the Product Manager (PM) is of transferring data to and from business partners using SaaS APIs. It could be for sharing reports, financial information, security information or other data. And it so happens that the partner's data center resides in the cloud in another country, geography or region, with it's own rules for data access.

Well, the personas, features and access rules you created for your own tightly controlled app may no longer be enough. You will need to understand the rules of access, and the scope of data sharing that is possible and permitted. Based on that, several addition features may be required to manage data access of your partner.

Let's continue with the example of the stock market app. Here are 3 use cases:
1. Your partner collects user information to share specific data of based on list of that users tracked stocks
2. Your employees needs to access the user's bank balance details to share top recommendations for investment
3. Your partner needs to aggregate your user data with similar apps users to improve its own performance
And in many such cases, the role of CASB (Cloud Access Security Brokers) is gaining prominence.
One key function they perform is to manage secure access to such data, based on policies, roles, rules and other heuristics.

Now even if a PM is a functional or domain expert, she still needs to understand privacy, security and access management to define the best use cases within his app. Otherwise, such use cases will be termed as "technical" and the architect will define these. [I do not recommend this approach, as the PM should be the best judge of use case quality, usability and app metrics.] In large firms you will have PMs looking at security and privacy, however they have their own priorities in the organization.

Here are some guidelines for data transfer across domains, clouds, companies or countries:
  1. Read what the CASB's are writing about their products. Netskope has it's website and so does Oracle. This gives insights into what is possible in terms of new features.
  2. Have a Data Processor Agreement in place with all partners. Either the legal or the business development team should take point for this, however empowered PMs or Directors can also lead this effort.
  3. Talk to your platform teams, including PMs and architects to understand what is currently possible and what new features are on their roadmap.
  4. Create partner personas, cloud personas and other relevant user types (including employees and admins). When adding features that use SaaS APIs, it gives a lot of information to the testing team to ensure compliance with business laws and requirements.
Enterprises never develop apps in a vacuum, there is always an existing IT infrastructure and applications (which may be in public, private or hybrid clouds). By understanding SaaS data transfer and CASBs, you can improve your apps, whilst making them more secure and usable.

[Reach out to me on LinkedIn if you would like to discuss more]

No comments:

Post a Comment