Software as a Service (SaaS) solutions have really proven their value since the start of the pandemic. SaaS offerings are easy to set up and usually don’t require a significant investment of IT resources to provision. This means that the business can identify problems and procure solutions in their own, in their own time frame. Furthermore, with the shift to remote working, the ability to more easily access a SaaS solution from anywhere with an internet connection is extremely valuable.
A Tech News World report based on a recent study by DoControl found that the average 1,000-person company using SaaS applications exposes its data to between 1,000 and 15,000 external collaborators, and between 200 and 3,000 companies have access to a company’s data.
Why unmanaged SaaS assets pose a significant risk to organizations
The word “asset” can mean different things to different people, and is increasingly used to describe anything from hardware, desktops, laptops, servers, phones, software and even employees.
Any asset that is unmanaged poses significant security risk to a business, and a SaaS asset or an asset that is stored in the cloud is no different, but they do come with unique considerations.
1. Securing data in SaaS applications can be difficult
The ability to properly manage assets that are stored in a SaaS solution depends on the vendor selected. Organizations are limited by what the SaaS vendor solution offers in terms of features to manage the asset life cycle and, more specifically, what security options are available.
2. Sensitive data can be exposed and organizations may not know
The popularity of SaaS apps has increased the amount of “Shadow IT”, a term that is used to describe information technology solutions that are implemented without the knowledge of, or explicit approval from an organization’s IT security group. As the use of SaaS solutions continues to increase, this issue is growing to be a larger problem, as companies may not even be aware of all the places that their data is being stored, let alone how it is secured.
3. Unmanaged SaaS assets increase the potential for inside threats
Insider threats can impact organizations in two different ways, accidental and malicious. Unmanaged SaaS assets present opportunities for well-meaning employees, who are just trying to do their job, to accidentally overshare sensitive data, or make other security mistakes. Meanwhile malicious insiders may see SaaS solutions as a way to bypass traditional security controls such as firewalls and data loss prevention products.
4. Unmanaged SaaS assets increase the potential for external threats
“Unmanaged” implies no one at the organization has vetted the SaaS asset, which in turn means a host of complications may go unaddressed. Potentially problematic situations include issues like co-mingling of the organization’s data with data belonging to others, as well as misconfiguration of permissions, which allows individuals to access data that should otherwise be restricted.
In addition, “unmanaged” also implies no security review has been performed on the SaaS provider. That can introduce a range of security risks from poor controls that could open the doors to a breach and crippling service outages impacting the ability of the organization to deliver their goods and services.
How organizations can address unmanaged SaaS assets
The only way to address the risk of unmanaged SaaS assets is to actually manage them! A great place to start is making sure that your organization is aware of the security requirement that all SaaS solutions must be reviewed and approved prior to use. This leads to building an inventory of all of the SaaS solutions that are in use at your organization.
Once you have an inventory, you can upload it into a risk management platform to see if there are any vulnerabilities affecting products being used or issues about a vendor. You can also specify whether data contained in a SaaS affects confidentiality, integrity, or availability and create an asset risk score. With this information, your team can better prioritize the vulnerabilities affecting those assets and effectively manage risk.
Finally, a few gotchas’ often overlooked are failing to track the type of data being used within the SaaS application, and not ensuring that proper backups are configured and implemented.