Closing up the security gaps on dozens or hundreds of SaaS apps is IT’s newest biggest challenge. However the usual methods enterprises employ to solve this issue are often misguided. According to Information Week, focus gets put on provider security failure, or ensuring that software providers have the compliance and controls in place to mitigate against data breaches.
In reality, the likelihood of issues here is small. Companies' most significant vulnerabilities actually lie with their own users and data – and most IT organizations have little idea how to address these.
SaaS Security Gaps
Gartner believes IT is facing challenges because most organizations are moving to a relatively large ecosystem of cloud service providers, rather than a monoculture. Creating, maintaining and updating security policies on a per-cloud-service basis is difficult when the volume of SaaS apps and services in use is soaring. Cleanshelf found that in 2018, the average 350 person company spent $4.8 million on SaaS applications annually. Few IT teams have the tools to manage risk exposure. As a result, “...user behavior is a greater concern than vulnerabilities inherent to any cloud service provider”, according to Gartner.
IT is aware that SaaS consumption is being driven by end users and that trying to re-establish full control is a fool’s errand.
Centralized procurement, control, and license distribution is a myth for most companies now. IT is aware that SaaS consumption is being driven by end users and that trying to re-establish full control is a fool’s errand. SaaS ease of use and vendors’ try-and-buy sales approaches put business users and managers in control of acquisition. The individual with a corporate card is the new normal for software acquisition. IT teams that push for antiquated models of control will fail. Users will find less secure alternatives or deploy on their own devices. While it may look different, control does not need to be a myth. Delivering it requires two keys though: 1) Visibility and management capabilities and 2) Organizational agility.
Visibility and management capabilities
Trying to secure an ecosystem of apps without knowing its contents is a recipe for risk vulnerabilities.
IT knows that it can’t control what it can’t see. Trying to secure an ecosystem of apps without knowing the apps and services inside the ecosystem is a recipe for risk vulnerabilities. Being unaware also leads to outsized spend, underutilization and lost productivity as business users trial, buy, use and abandon apps without IT oversight.
In a recent article, CIO magazine highlights the scariest SaaS-related security blindspots. In particular, it lists: the amount of exposed confidential data, number of ex-employees with data access and ‘super-admins’, or those users with elevated access within a particular app or service. The article also shares the concerning direction of data traffic, noting that by “2021, 27% of corporate data traffic will bypass perimeter security, up from 10% today.”
Without a business-level overview of SaaS use by user and department, IT cannot manage company-wide risks effectively.
Central to each of these is the issue of poor visibility. Without a business-level overview of SaaS license use by user and department, IT cannot manage company-wide risks effectively. If deployments are unknown, technology leaders cannot prevent threats or recommend secure, enterprise-ready SaaS alternatives to teams. Similarly, processes for off-boarding employees or contractors won’t be effective when it’s not clear what licenses and permissions a user has.
Generally, business users are trying to do well. They try and buy SaaS to become more productive and improve performance. Nefarious behavior is few and far between. But when IT is perceived as the “no” team, keen to remove user freedoms, employees will find their own solutions. They will also keep very quiet about their increased SaaS use. IT must demonstrate a spirit of teamwork and organizational agility that shows the business that it’s squarely on its side.
Cost-efficiency and real-time accuracy, while using automation to stay effective at scale, demands technological intervention.
Gartner recommends that IT opts for in-built or third-party tools to ensure data security and help sanction SaaS applications. It also suggests the use of CASBs or other tools to reveal unauthorized SaaS tools. This is not necessarily to find and kill their use. Instead the purpose is to help teams consolidate licenses to save money or reduce redundant services. Front line managers may actually be quite thankful when IT can report on app use, availability, spend and cost-savings opportunities.
Ultimately, enterprises cannot achieve visibility, control and agility with a mish-mash of offline spreadsheets or manual invoice submissions. Sending your new IT analyst on a witch-hunt to track down apps and managers won't help either. Cost-efficiency and real-time accuracy, while using automation to stay effective at scale, demands technological intervention.
Contact the Cleanshelf team if you want to learn how we can help you close IT security gaps in a SaaS-everything world.
Ready to start controlling your enterprise SaaS?
Based in San Francisco, Cleanshelf is the best way for enterprises to monitor and manage their SaaS spend. Our SOC 2-compliant and AI-powered technology saves our customers up to 30% on fees. Cleanshelf already helps businesses like Hilton, AT&T, CoStar and Jamf, among others. Join them now and gain control of your enterprise SaaS.