Agility, Control, and Visibility: Closing IT Security Gaps in 2019
Maintaining security on dozens or hundreds of SaaS apps is IT’s newest biggest challenge. Common approaches to this is often misguided though. According to Information Week, focus gets put on provider security failure, or ensuring that software providers have the compliance and controls in place to mitigate against data breaches.
In reality, the likelihood of issues here is small. Companies' most significant vulnerabilities actually lie with their own users and data – and most IT organizations have little idea how to address these.
Gartner believes IT is facing challenges because most organizations are moving to a relatively large ecosystem of cloud service providers, rather than a monoculture. Creating, maintaining and updating security policies on a per-cloud-service basis is difficult when the volume of SaaS apps and services in use is soaring. Cleanshelf found that in 2018, the average 350 person company spent $4.8 million on SaaS applications annually. Few IT teams have the necessary controls to manage risk exposure and, as a result, “...user behavior is a greater concern than vulnerabilities inherent to any cloud service provider”, according to Gartner.
IT is aware that SaaS consumption is being driven by end users and that trying to re-establish full control is a fool’s errand.
Centralized procurement, control, and license distribution is a myth for most companies now. IT is aware that SaaS consumption is being driven by end users and that trying to re-establish full control is a fool’s errand. SaaS ease of use and vendors’ try-and-buy sales approaches put business users and managers in control of acquisition. The individual with a corporate card is the new normal for software acquisition. IT teams that push for antiquated models of control will fail. Users will find less secure alternatives or deploy on their own devices. While it may look different, control does not need to be a myth. Delivering it requires two keys though: 1) Visibility and management capabilities and 2) Organizational agility.
Visibility and management capabilities
Trying to secure an ecosystem of apps without knowing the apps and services inside the ecosystem is a recipe for risk vulnerabilities.
IT knows that it can’t control what it can’t see. Trying to secure an ecosystem of apps without knowing the apps and services inside the ecosystem is a recipe for risk vulnerabilities. Being unaware also leads to outsized spend, underutilization and lost productivity as business users trial, buy, use and abandon apps without IT oversight.
In a recent article, CIO magazine highlights the scariest SaaS-related security blindspots. In particular, it lists: the amount of exposed confidential data, number of ex-employees with data access and ‘super-admins’, or those users with elevated access within a particular app or service. The article also shares the concerning direction of data traffic, noting that by “2021, 27% of corporate data traffic will bypass perimeter security, up from 10% today.”
Without a SaaS system-of-record to give a business-level view of SaaS licenses and use by user and department, IT cannot expect to manage company-wide risks effectively.
Central to each of these is the issue of poor visibility. Without a SaaS system-of-record to give a business-level view of SaaS licenses and use by user and department, IT cannot expect to manage company-wide risks effectively. If they don’t know what has been deployed, technology leaders cannot apply threat prevention and recommend secure, enterprise-ready SaaS alternatives to teams using insecure services. Similarly, processes for off-boarding employees or contractors won’t be effective when it’s not clear what licenses and permissions a user has.
Generally, business users are trying to do well. They try and buy SaaS to become more productive and improve performance. Nefarious behavior is few and far between. But when IT is perceived as the “no” team, on a mission to remove user freedoms, employees will get creative – and quiet – about SaaS use. IT must demonstrate a spirit of teamwork and offer the organizational agility, or flexibility, that shows the business that it’s squarely on its side.
Cost-efficiency and real-time accuracy, while using automation to stay effective at scale, demands technology intervention.
Gartner recommends that IT opts for in-built or third-party tools to ensure data security and help sanction SaaS applications. It also suggests the use of CASBs or other tools to reveal unauthorized SaaS tools; not necessarily to find and kill their use, but to help teams consolidate licenses to save money or reduce redundant services to improve collaboration. Front line managers may actually be quite thankful when IT can report on app use, availability, spend and cost-savings opportunities.
Ultimately, visibility, control and agility can’t be achieved with a mish-mash system of offline spreadsheets, manual invoice submission, or, worst of all, by sending the new IT analyst on a witch-hunt to track down apps and managers. Cost-efficiency and real-time accuracy, while using automation to stay effective at scale, demands technology intervention.
Contact the Cleanshelf team if you want to learn how we can help you close IT security gaps in a SaaS-everything world.
Cleanshelf is the leading SaaS spend optimization solution focused exclusively on tracking, controlling, and benchmarking subscription SaaS applications. Cleanshelf’s cloud technologies help companies save up to 30% on their SaaS spending by automatically identifying unused, underused, or unmanaged licenses and subscriptions.
Headquartered in San Francisco, CA, Cleanshelf serves dozens of clients, including Drawbridge, Revinate, Dynamic Signal, Qumulo, and Service Rocket.