Sr. Consultant and Security Practice Leader Larry LaBas shares some of the best practices he recommends to Taos clients in building and maintaining a robust security posture.

5: Company-as-a-Service: Building a Cohesive Security Strategy

The Taos Security Blog Series so far has defined the steps to create your security strategy and build necessary processes and systems. Now the last piece is to integrate this strategy into your company’s culture with processes and automation that can be applied across the board in all departments. This includes Legal, HR, Research, Engineering- everyone becomes part of the security strategy, regardless of their connection to IT. In the security world, we call this Company-as-a-Service.

What is CaaS?

In its ideal state, a well-designed Company-as-a-Service system is where the majority of workflows, processes, and tasks in an organization have been automated, which closes security gaps and allows for rapid scaling.

Here’s a real-world example of how a CaaS system works: when fulfilling a new position at a company, a manager starts the process by entering the role requirements in the system. This triggers a fully automated workflow from onboarding to provisioning to offboarding.

For instance, if you need an intern, you start by entering the role and experience requirements in the company user portal for such requests. It automatically flows to Management and Finance for approval. After approval, the request goes to recruiting to find and vet candidates. Offer letters are automated and acceptance automatically triggers onboarding processes, such as background checks, and equipment provisioning based on the job profile. If company policy allows, then account and access provisioning is automatically started so the new employee is ready to go on the start date. Termination triggers offboarding and deprovisioning to close accounts.

Basically, once the button is pushed, the automated workflow systems take care of the actions based on predefined and approved business application functions. This is CaaS.

Benefits of CaaS

It’s clear from the example above that CaaS enhances a company’s security posture by removing the human factor from the equation as much as possible. This eliminates common human errors, such as the wrong amount of access being granted to a system, which can either hobble productivity with too little access or reveal sensitive data with too much. It closes security gaps that happen when people forget steps- for instance, automatic deprovisioning at termination closes the kind of security gap that enabled the Colonial Pipeline ransomware attack in May 2021. It also ensures every workflow functions as expected and is repeatable, which enables the company to scale up or down. The functions are also easily audited, making it possible to identify deviations or items that do not follow the process, such as bad actors who create their own accounts.

Building an Effective CaaS System

To build an effective CaaS system, first go through all the previous steps detailed in the Taos Security Blog Series. Shore up your security basics with things like 3-2-1 Backup and Process Monitoring, then move into the integration of security and business departments, implementation of automation, and creation of review cycles and secure cross-company collaboration. These previous steps are important because the sequence of them builds the accuracy, ongoing CI/CD review, and ultimate success of your CaaS system.

The final step to implement a CaaS system is to build into your company’s DNA that processes and automation drive the workflows of all departments. What this looks like in action differs for each organization and can get quite complex depending on how the company is structured, but there are a clear set of guidelines to follow.

  • Leadership sets the security strategy and business goals
  • IT and Security select and deploy the systems
  • IT and/or Engineering set up technical implementation components
  • Security sets the alerts on the systems, monitors them, and follow the internal security incident management process when investigating anomalies
  • Security and Legal manage alerts and data breaches, according to policy
  • Business Operations runs the CaaS system for the company, setting the review meeting cycles and ensuring compliance
  • Each business unit defines a leader and owns their own reviews of their sections of the CaaS system
  • The business defines a single leader of the CaaS system who owns delivery and has the authority to hold implementation and operation teams accountable- often the VP of Business Operations or GM, depending on the company size and structure

Get the Right Expertise

Building the cohesive security strategy of Company-as-a-Service into your organization’s DNA can be a complex undertaking, but you don’t have to go it alone. Get a strong external partner like my team at Taos to help you assess, plan, design, and implement the processes and automation that will take your organization to the next level.

What’s next?

Watch for future posts by me and my Taos Security Practice colleagues covering more of our best practices and recommendations for developing a robust security posture. Remember in this current threat environment, it’s not if you experience a cyberattack, but when.