Rapid adoption of software as a service (SaaS) has amplified visibility challenges for security and IT teams, and SaaS usage introduces new challenges at an amplified magnitude.
According to a recent survey by Axonius, while 66% of organizations are spending more on SaaS apps than IaaS than ever before, 60% of respondents ranked SaaS security fourth or lower on their list of current security priorities.
SaaS data sprawl is the result of the decentralized distribution of information in different applications, making it difficult for IT and security teams to determine where all the data resides, where sensitive or personally identifiable information (PII) is being processed, and who has access to the data.
In addition, when there are SaaS applications the business is not aware of (i.e. shadow SaaS), it is impossible to protect them, and they therefore become the greatest point of vulnerability, which hackers most often target in their attacks.
“Think of an employee who is more comfortable using Google Drive even though their organization officially uses Box,” says Amir Ofek, CEO of AxoniusX, a business unit within Axonius. “They will likely use Google Drive anyway and fail to inform IT, and they could potentially upload confidential or sensitive information to it.”
He explains even though Google Drive is secure, if they leave their organization, that data would remain in Google Drive forever, and it would become much harder to track down and recover.
Consider another example: Salesforce offers a limitless number of supported integrations. Many teams integrate Salesforce with email tools, marketing tools, chat, and collaboration tools, and more.
This means customer data stored in Salesforce can be easily transferred to any other application -- making it hard to keep track of every place the data lives. “The implication is that you're putting customer data at risk,” Ofek says. “In a time when compliance mandates like GDPR means more scrutiny on protecting customer data, unmanaged SaaS sprawl is a risky undertaking.”
SaaS Security Requires a Comprehensive Approach
Charlie Winckless, senior director analyst on Gartner's infrastructure protection team, says that SaaS sprawl poses a security challenge simply because organizations don't have the visibility into what's happening.
“If someone chooses to adopt a SaaS application, then maybe IT security never had a look at that SaaS application, never made a choice as to whether that application is secure or not, never looked at the controls around it, and never made a decision as to whether it is suitable for what data is being put into it,” he explains.
He points out people who are not security conscious are making decisions based on convenience and accessibility, and those two rarely go hand in hand with security.
“Security is almost rarely a technology issue, though there are technology solutions to consult that could help,” Winckless explains. “Making SaaS part of your cloud center of excellence means approving SaaS applications for common business use cases.”
He advises organizations to have simple and standard questionnaires that can be used to determine what sort of data is going to be in the app and how many users are going into it. “That way you can prioritize and build the right amount of risk and the right amount of work into each area,” he says.
On top of that, businesses must begin to add the tooling that gives them the ability that is classically the domain of cloud access security brokers (CASBs). “Now I can see what SaaS applications my user population is adopting, and the good CASBs have flexible and dynamic risk matrices and risk scores so I can start to see how risky the SaaS app is,” Winckless says.
Remote, Hybrid Workforces Add to SaaS Sprawl
Corey O’Connor, director of products at DoControl, a provider of automated SaaS security, notes that remote and hybrid working models made a significant impact on both SaaS utilization and sprawl.
“When they started to gain traction, CIOs responded by allowing the business to use whatever tools necessary to enable the business,” he explains. “This challenged CISOs as well as IT and security teams given the surge in SaaS adoption and utilization.”
This created security gaps that needed to be addressed as organizations began to navigate the “new normal” for working environments.
“With the workforce now more in a decentralized nature, there's a critical need to centralize security throughout all the disparate SaaS applications meant to drive business enablement,” O'Connor says.
Ofek agrees, noting as more organizations adopt hybrid work models, security and IT teams will need to devise new processes, policies, and controls around SaaS applications to allow for secure but easy access--and it starts with visibility.
“They will need solutions that can help develop a single source of truth, including a complete inventory of apps -- both authorized and shadow SaaS -- a full list of settings and configurations for each app, and the employee and privilege level tied to every license,” he says.
O'Connor says he thinks there will likely continue to be a positive trend of SaaS application growth and adoption given the positive outcomes they promise to provide.
“Security needs to be at the forefront,” he advises. “Otherwise, the end result becomes technical debt that will ultimately slow down the business, which ironically is the antithesis of what SaaS applications were designed to do.”
SaaS Security Involves Stakeholders Across the Enterprise
Ofek adds that when assessing risk for an organization it's important to incorporate all potentially risky elements of the organization.
“In today’s world, that is increasingly meaning SaaS applications,” he says. “Specifically, risk officers, FinOps teams, and third-party risk managers should consult with security teams about appropriate – and high security-risk – SaaS management, usage behavior and security best practices.”
Most importantly, and as with most technology-related initiatives, SaaS security must start from the top.
Ofek points out the Axonius survey found nearly a quarter (23%) of respondents reported that they weren’t focusing on SaaS because of pressure from the C-suite to focus on other issues.
“Leaders at the top, the individuals leading the business and making important decisions, need to be sure to communicate how important SaaS security is to the future of their organization not only to the IT and security teams, but to all employees,” he says.