SaaS Risk Management 101

Enterprise Software-as-a-Service (SaaS) adoption is increasingly widespread — with global end-user spending growing by more than 40% to an anticipated $170 billion in 2022 — and it’s not hard to see why. As companies shift to enable new work paradigms, SaaS apps provide an agile, flexible way to provide employees with the functions they need, when and where they need them.

Unfortunately, this flexibility is a double-edged sword; networks of SaaS apps can grow rapidly, faster than IT teams can keep track of them.

If companies cannot get a handle on their sprawling SaaS app networks, they are at risk of security breaches and financial disruption. Yet many companies fail to properly manage SaaS apps. Some IT teams are intimidated by the seemingly time- and labor-intensive process of auditing and mitigating SaaS risks.

Others may not understand the risks that come with SaaS apps and don’t set aside the resources needed to manage them effectively. Even if IT and security teams take steps to manage and secure SaaS apps, the solutions they put in place to mitigate these risks are often insufficient, as they tend to have “blind spots” that can lead to critical oversights.

There are four key challenges tied to SaaS management that put companies at risk. It is important for IT and security teams to understand these challenges, compare their flaws to traditional solutions, and develop a strategy to address these flaws. As a result, they will be better equipped to fully embrace the full benefits of SaaS apps.

The 4 Biggest SaaS Management Challenges

1. Data Sprawl

SaaS apps can quickly link with each other to form a sprawling network — and data flows rapidly from app to app. Thanks to the prominence of open APIs in popular SaaS apps like Salesforce, almost every app can connect with others in some way. While this offers great convenience, it is also a major liability for IT and security teams. If you don’t know where sensitive data is going, or where it has been, how can you guarantee it is secure?

Employees contribute to sprawl by storing data in unauthorized places. If your company uses Box for storage, but an employee insists on using Google Drive, that’s an entirely new data flow to manage — and that’s assuming the IT team even knows about what the employee is doing.

1. Shadow SaaS

In an ideal world, employees would ask IT for permission before installing and activating SaaS apps. Unfortunately, in the real world, employees regularly onboard new SaaS apps without permission, allowing unverified third parties to access sensitive data. While the network of SaaS apps that IT knows about is already overwhelming, that’s only a fraction of the full network. In fact, up to 50% of a typical organization’s SaaS footprint may be unknown to management.

As you might expect, “shadow SaaS” complicates the process of tracking and securing data. Unauthorized apps don’t go through the normal IT vetting process, which amplifies risk. If a single SaaS app mishandles data and violates regulations like GDPR or HIPAA, the entire organization is now liable. To make matters worse, if financial teams can’t identify the license fees of “shadow SaaS,” this results in untraceable expenses that add up fast.

2. Security and Misconfiguration Risks

Because SaaS apps are highly adaptable, they have a large number of settings and configurations. Unfortunately, this means apps can be misconfigured and put companies’ sensitive data at risk. IT teams often work hard to get every configuration just right at launch, but over time, day-to-day use often results in settings changing. So to speak, SaaS app misconfigurations are a day 2 problem, when it’s easy to assume that the hardest work is done after day 1.

There are real consequences tied to misconfiguration of apps, and it’s a widespread problem: a recent Cloud Security Alliance survey discovered that up to 63% of organizations had experienced a security incident as a result of SaaS misconfiguration in the last year. In the worst-case scenario, the wrong settings can make sensitive data publicly available. Each individual license also needs to be properly configured with the right privileges. If lower-level employees receive admin-level licenses, the risk of insider threat grows significantly, along with the risk of well-intended employees mistakenly exercising admin privileges.

3. Excessive and Inefficient SaaS Spend

Given the subscription-based model of most SaaS licenses, small recurring costs add up over time. Unfortunately, many companies waste substantial sums of money on unapproved or unneeded SaaS licenses every year — and often have no idea that it’s happening.

As mentioned before, shadow SaaS is a significant cost for many organizations, but even authorized SaaS apps can incur unnecessary expenses. Compartmentalized decision-making results in firms often approving licenses for several apps that serve the same purpose. Admins are also prone to human errors, such as duplicating licenses, failing to cancel licenses tied to ex-employees, and giving licenses to staff who don’t need them or aren’t authorized to use them.

Importance of a Single Point of Truth

Firms that understand the challenges of cloud waste mentioned above are often eager to mitigate the risks of SaaS apps, but the strategies they choose tend to come up short. There are a few popular tools that resolve some SaaS management challenges; these include Cloud Access Security Broker (CASB) tools, SaaS Security Posture Management (SSPM) tools, and SaaS Management Platforms (SMPs).

Each of these tools provides some critical SaaS information but often can’t provide the full picture. For example, CASB tools monitor cloud service usage, but this is often limited to SaaS apps that IT departments know. This means that shadow SaaS remains hidden, along with all the liabilities it brings. While implementing multiple tools can allow each one to compensate for each other’s blind spots, integrating them together brings new challenges and liabilities.

Rather than trying to use many tools for the sake of being thorough, CISOs and CIOs should instead strive to implement the simplest possible solution that provides three critical aspects of insight: breadth, depth, and context.

Breadth is the ability to discover every SaaS application in your network, as well as every type of data being shared, and how that data moves from app to app.

Depth requires finding misconfigurations, potential malicious behavior, and other easily overlooked information.

Context involves analyzing the way users, SaaS apps, devices, and services interact with each other.

In order to achieve breadth, depth, and context for better SaaS management, companies need a single source of truth, which requires admins to have:

• A “snapshot” of all facts relating to a company’s SaaS app network. This includes a full inventory of apps (both authorized and shadow SaaS); a full list of settings and configurations for each app; and the employee and privilege level tied to every license.
• A way to follow corporate data in motion. This includes being able to identify which users and user devices are interacting with each cloud app; how each app stores and uses the data it obtains; and how users are on- and off-boarded from each app.

Creating a Management Strategy

Of course, understanding the state of your company’s SaaS network is only valuable if your company can act on that truth. Your IT team must be willing to recognize and neutralize any threats or anomalies that arise. This requires teamwork between IT, finance, business operations, legal, and security teams. Therefore, this can’t be an initiative for a single department, but rather a company-wide goal to pursue.

Implementing a comprehensive solution will likely have a beneficial ripple effect throughout an organization. It will:

• Allow finance and business operations teams to track license use, minimize costs and intercept potential risks.
• Allow legal and security teams to track the flow of data and protect the company’s reputation.
• Encourage employees to become more responsible because they know their SaaS app usage is being monitored.

IT and security teams need to have proper SaaS management on their roadmaps, as it’s the only way to avoid major liabilities as SaaS apps become more and more important to a distributed workforce. By removing risks and unnecessary costs, IT and security teams can make the remote workplace safer and benefit from the convenience of SaaS apps, without the risks. SaaS will only grow in complexity, so it’s imperative to implement a solid strategy as soon as possible.