How to Identify and Tackle SaaS Security Issues
The growth in demand for SaaS applications has exploded in the last few years and is forecast to continue rapidly. It’s also coincided with a mass movement of technology purchasing from central IT organizations to business units. In fact, according to the Snow Software 2022 IT Priorities Report, 86% of IT leaders report that business units are under significant stress because they’re unaware of all purchased cloud and SaaS. Though this level of self-sufficiency alleviates some of the burden on IT, it also creates an entirely new set of risks. IT must eventually face these challenges, especially when it comes to SaaS security. Whether they arise from misconfiguration, regulatory non-compliance or other issues, SaaS security threats are as plentiful as they are severe.
Most organizations have hundreds, if not thousands, of SaaS apps, many of which are unknown to IT. Each SaaS tool comes with many settings to control everything from data protection to encryption to admin privileges and beyond. With these numbers, it’s easy to see how the math — and your security — can get out of control very quickly.
Just one misconfiguration is enough to present an attack vector. The Cloud Security Alliance conducted a recent survey in which 43% of surveyed organizations have had one or more security incidents due to SaaS misconfiguration. Take, for example, this story of a global permissions misconfiguration. This incident exposed NASA and hundreds of Fortune 100 companies to data leaks.
Managing this challenge is difficult enough when a central IT organization handles it all. Think of the risk for business users who aren’t trained to routinely check configurations. Without visibility into what SaaS applications are in use, it’s impossible to properly configure all the software in the organization to protect sensitive data and IP.
SaaS apps purchased outside of IT often bypass your SSO platform, leading to weak passwords that present another attack vector for hackers. According to research from Digital Shadows, over 24 billion username and password combinations are in circulation in cybercriminal marketplaces. That’s a 65% increase from the previous report in 2020.
Vulnerable personal machines and software can pave the way for a security breach, which makes utilizing your SSO platform essential. Remember, though, that not all SaaS apps will integrate with the SSO platform you’ve chosen. Discovering what’s in use throughout the organization sooner rather than later can help you identify risky applications before they take hold and before switching to an alternative would be particularly disruptive.
Remote work, workforce mobility and the number of applications in use can make offboarding a challenge for any IT department. Add into the mix hundreds of SaaS apps outside the reach of IT and managing access can quickly become untenable.
When evaluating the security of your offboarding procedures, check if you have solid processes for removing a departing employee’s access to all applications and their corresponding data. Don’t forget to establish data removal processes for SaaS applications that the business unit or the employee directly purchased, too.
As demonstrated by this story from August 2021, a single disgruntled former employee with access to applications and data can harm a business. In general, business units are simply ill-equipped to manage a comprehensive offboarding process properly. The combination of these factors can leave your business vulnerable to a costly breach.
Governments around the world have various laws and regulations designed to protect the data of your employees and your customers. These laws vary by country (or even state) and by data type.
|GDPR||European Union||HIPAA||Health data|
When it comes to SaaS applications, complying with data privacy regulations is a shared responsibility, and failure to comply can result in hefty fines. These fines can climb to tens of millions of dollars in some cases. Therefore, it’s critical to know what SaaS applications are in use and to have the following questions answered from each vendor:
- Who has access to the data?
- What policies and procedures does the provider have in place for data handling?
- How does the provider ensure they comply with all laws and regulations around data protection?
- What happens to your data when your contract with the provider expires?
Armed with this information, you can begin to put in place the necessary processes and procedures to ensure compliance.
Visibility is the key
With so many potential pitfalls associated with SaaS applications, just hoping that there won’t be a security incident simply isn’t an option. That doesn’t mean that IT must prohibit business units from procuring the tools they need to be successful. It simply means IT needs visibility into which tools business units choose, who is using them and what data the tools will access.
There are many different methods for discovering SaaS within an organization. You can comb through accounts payable, leverage SSO and pull data via vendor APIs, just to name a few. Without focusing on the user, however, there will always be blind spots.
If you’re concerned about SaaS security or your ability to understand the extent of SaaS applications in your environment, review “Gartner® Predicts 2022: SaaS Dominates Software Contracting by 2026 — and So Do Risks.” In this report, Gartner examines four key strategic planning assumptions. They also outline how to plan, analyze, budget and manage risk as organizations increasingly adopt SaaS applications.
Additionally, we invite you to learn about the Snow approach to SaaS discovery and how it can give you the complete picture of both paid and free applications. With this view, you’ll have the information to properly evaluate your organization’s SaaS security and what measures you should take to mitigate risk.