Software-as-a-service (SaaS) continues to become the business norm for an increasing number of use cases. As a result, a host of risks have emerged. Guy Guzner, co-founder and CEO of Savvy Security, considers the threat — and what it means for the visibility and control companies need.
Editor’s note: The author of this article, Guy Guzner, is co-founder and CEO of Savvy Security, a security provider in the SaaS industry.
SaaS risk is a growing problem. According to a recent report, 80% of employees adopt SaaS applications without IT approval, creating unrestricted associated user and app identity risks that bypass traditional security processes and solutions. The threat is significant and proves that rapidly growing SaaS adoption requires a deeper level of visibility and control than exists today.
One of the greatest challenges companies face is identifying the toxic combinations of SaaS risk that rest at the intersection of identity and access management, user behavior and business context. Individually, each of these components is part of the overall SaaS ecosystem, but together, they can create the most severe form of SaaS security risk within organizations, leading to compliance violations, data breaches, brand damage and financial loss.
Multiple factors driving SaaS security risk
The average company uses multiple SaaS apps like Slack, Dropbox and Zoom. While these applications enhance efficiency, it’s also easy for users to input proprietary information or sensitive data into these apps as part of their workflows. Not all SaaS applications are endorsed, or even known, by IT; in fact, unmanaged SaaS apps used by the workforce often surpass the “known” or “managed” average by up to four times, according to Savvy research.
Signing up for new applications to help solve a problem or complete work seems harmless to employees — say, for a member of the finance team, using an application like Canva for a presentation would appear simple and low-risk. This becomes a problem, though, if that employee uses the same credentials for Canva that they use for enterprise applications — and if those credentials have administrative privileges.
If those credentials are compromised, that could cause massive security problems for the organization. Other examples of problematic factors include rogue administrators, compromised accounts, shadow identities, lack of multi-factor authentication (MFA), incomplete offboarding, direct sign-in instead of single sign-on (SSO) and risky or shared credentials. Any combination of these factors can open an organization to compromise, with potentially devastating impacts.
Consider a circumstance where an employee’s credentials are compromised and released on the dark web. The individual hasn’t enabled multifactor authentication or used a password manager and is reusing their password across applications, including in apps like DocuSign, which may contain highly sensitive information. The individual also has administrative privileges for important financial systems. In this situation, we have multiple factors creating a toxic combination: 1. an identity with privileged access to sensitive data; 2. an employee failing to follow company policy to set up MFA as a security control and never reuse passwords; and 3. a compromised account with risky credentials found on the dark web.
And it’s not only active employees who can increase a company’s SaaS risk, as former employees often maintain access to SaaS tools, particularly those that aren’t being fully managed by the company’s IT experts. In the case of incomplete or insufficient offboarding, businesses can create unauthorized access points that could have legal, compliance and data-theft consequences.
How “Shadow IT” Puts a Business at Risk: 5 Hazards for GRC Professionals to Watch
Unauthorized use of unsecured business applications presents growing danger. So-called shadow IT presents GRC teams with the need to prevent end users from taking actions that while seemingly expedient, completely undermine otherwise robust cybersecurity and data protection measures.
Read moreEliminating SaaS risks within companies
Organizations should incorporate these tips to reduce risks posed by SaaS applications:
- Understand what makes a combination of risk toxic. This understanding will alert the team to potential vulnerabilities in the organization and ensure that these are rectified quickly to prevent unauthorized access.
- Continuously monitor employee privileges. It’s critical that security and IT teams maintain a complete and updated inventory of SaaS applications and their privileges for each employee. This is a known challenge within organizations, but it is the only way to ensure that the correct people have the correct access to sensitive information across an organization.
- Focus on adding visibility. Maintaining visibility into SaaS security posture, including associated user and app identities can help organizations safely embrace all the benefits of SaaS tools.
- Prioritize proper offboarding. Find ways to automate the process for deprovisioning access to terminated user accounts.
To successfully combat this threat within organizations, it is essential that security practitioners have visibility into both enterprise and fringe SaaS applications, and that they be able to accurately pinpoint the combinations of risks that lead to security incidents in order to prevent unauthorized access to data.
Guy Guzner is co-founder and CEO of Savvy Security. His areas of expertise include firewalls, intrusion prevention systems, VPN, content scanning, sandboxes, data-loss prevention, secure web gateways and web application firewalls products.
