New hybrid work models are continuing to cause significant shifts both in where employees work and in how organizations procure technology. With the new year right around the corner, public cloud spending is booming and public cloud services will likely continue to grow with software as a service (SaaS) as the largest market segment.
With increased SaaS reliance comes new risk, and organizations are scrambling to shore up security and compliance threats for a more secure future of work.
According to the Snow 2022 IT Priorities Report, 69% of organizations surveyed increased their investment in SaaS applications over the past 12 months. 86% of IT leaders said most businesses are procuring far more cloud and SaaS than IT knows about and this is a distinct stressor. The reason for this is availability and access to unknown applications create many risks.
Uncontrolled access is an open invitation to data security risks, possible compliance failures with regulations such as GDPR, HIPAA, PCI and others, not to mention costly application sprawl. Adding fuel to this fire is shadow SaaS, when employees use and/or purchase SaaS software outside of standard processes.
Risks of shadow SaaS
- Data Security. Cybercriminals are quick to take advantage of the shift to the cloud and the common misunderstanding that cloud providers ensure security. The reality is data security is a shared responsibility. It is the responsibility of the SaaS provider to have baseline controls in place to ensure their platform protects your organization’s data. It is IT’s responsibility to check if the SaaS provider in fact has good security policies in place. If IT is unaware of applications in use, then they are unable to vet the risk of these providers or how they interface with other organizational IT. And, end users need to be responsible by not using common passwords or uploading company/ customer data to SaaS applications without prior approval. The problem is some employees don’t know this, or they choose to disregard it.
- Compliance failure. Another risk is being out of compliance with data privacy regulations. There are a growing number of international and national regulations and failure to comply can result in exorbitant fines. Take HIPAA, for example. Healthcare organizations must obtain a business associate agreement from providers who store, create, receive, maintain or transmit PHI. The business associate agreement provides assurances of how the provider will safeguard PHI data. To obtain this agreement, organizations must know about all applications employees are using that are storing, transmitting, creating and receiving PHI. There are numerous examples of organizations being fined for not assessing provider risk by obtaining a business associate agreement.
- SaaS sprawl. In addition to data security and compliance risks, budget over-runs must also be top of mind for IT and the c-suite. Cloud application sprawl is a common result of shadow SaaS. When individual users sign up to use their own software, redundancies occur, and with individual use licenses, you might not be getting the best financial deal, or you may be out of compliance and run the risk of true-up charges. This has become a much bigger issue with fully remote and hybrid work employees. In the same Snow Software survey, 70% of IT leaders told us their SaaS investment had increased in the last 12 months and nearly half said controlling SaaS sprawl is their biggest challenge.
Three guardrails that reduce risk
Now, end users with access to the internet can sign up for any SaaS application. To reduce risk, but avoid impacting productivity, you should consider implementing guardrails for your organization.
1. Make it easy for employees to get what they need.
Self-service is the name of the game, now more than ever before. Users are used to going to a central place like the App Store to get what’s needed for their phones. Provide a similar experience for employees to make it easy for them to search for what they need and request a subscription approved by your organization. By offering employees a place to get their applications, you are removing the risk of redundant software in your environment. Self-service app stores also provide a level of automation to manage licenses. When assigning a license, you can indicate if it goes unused, and the license will be automatically reclaimed.
2. Leverage technology to discover applications in use.
It’s impossible to determine if all the application providers used by your organization have the right level of security controls in place if you don’t have visibility into all the technologies used across the organization. Leveraging browser extensions on the user device can help you assess all SaaS applications in use, by the department, and by potential risk. Remember that not all software requires a license and using financial data for software inventory will not capture free application usage. If you are unable to obtain a discovery technology to uncover shadow SaaS, assess who has access to sensitive data (engineering teams, analytics, sales and marketing operations, finance) and talk to some of those users to find out what applications they are using. This information is often found in departmental onboarding documents.
3. Educate and collaborate.
Once you know what applications employees are using, you can take a targeted approach to have conversations about why going outside of policy to use free or licensed applications is risky for the business. In having these conversations, you will also learn about the departments or user’s application requirements and will be better equipped to partner with them on identifying a safe solution to help them be productive.
SaaS use is powering an entirely new style of work, but a failure to proactively govern its use will spin up many new challenges. In response, IT teams need to shift how they work to maximize growing SaaS use while reducing the risks that shadow SaaS brings.
Learn more about discovering SaaS application usage in your organization and see how Snow can help.