Salesforce, HubSpot, Zoom, and so many more SaaS applications are everywhere throughout an organization.
In fact, organizations across the globe average about 110 SaaS applications.
The trend to implement more of these apps is only increasing, with 66% of organizations spending more on SaaS now than a year ago, according to “The Truth About SaaS Security and Why No One Cares … Yet”, a study conducted by Axonius.
Organizations are relying more on these apps to connect their workforce, whether they’re remote or hybrid. But despite all their benefits like productivity, accessibility, flexibility, and cost, SaaS apps also come with the challenge to manage them.
The complexities of a SaaS stack
Gone are the days of having everything at a physical location. Now, as more organizations have their apps in the cloud, conducting asset inventory is more difficult. Yet even more important than before.
IT and security professionals know there’s a problem. Sixty-six percent of respondents said SaaS apps increased their security risk, according to the Axonius findings.
And the threat is real.
The attack surface already has a slew of assets — devices, cloud services, software, and users — for these professionals to assess, track, and protect. But it becomes more challenging when employees use shadow SaaS apps that IT and security professionals don’t know about.
The instances of shadow SaaS are on the rise. The Axonius research found 80% of employees admit they’re using apps that weren’t approved by their IT departments. But only 46% of IT and security professionals are rolling out restrictions to prohibit shadow SaaS applications.
“Shadow SaaS can cause some organizational risk. Not only from a cost perspective, but also from a compliance perspective, depending on what organization you're in and the types of regulations and whatnot you'd have to adhere to,” said Matt Bromiley, a SANS instructor and an incident response consultant during an Axonius webinar, “Robust Enterprise Security Includes SaaS Management”.
“I view compliance as one of the biggest issues here, because the moment your data falls out of a controlled stream or a controlled area, you now become non-compliant,” added Bromiley. “I'm asking the security team to go back to visibility and say, "Well, how were you expected to be compliant if you didn't know about these assets that existed out there?’"
More visibility, more security for SaaS
With the ever-increasing amount of SaaS applications — known and (unfortunately) unknown — IT and security professionals need to understand crucial information. These details include who owns these applications, what are they being used for, and how many permissions are being shared.
These are some of the questions and answers that impact an organization’s attack surface.
“Adversaries are going to pounce on every opportunity they can,” Bromiley said. “Far too many organizations are just putting data everywhere. This right here, I think, is one of the keys for visibility. … All of a sudden, I'm chasing something that contains data that I may or may not have known about. So when the adversary comes back and makes demands or launches additional attacks against us or against our customers, I don't even have a place to start from a validation perspective.”
So how can IT and security professionals get that visibility into and validation for their SaaS stack?
Through a comprehensive SaaS management solution.
The solution connects all layers of a SaaS stack, discovering known and unknown applications. IT and security professionals have complete and actionable visibility into all data types and interconnectivity flows.
The best SaaS management solutions help mitigate security issues, like misconfiguration risks and suspicious and malicious behavior, that expose sensitive customer and business data. These professionals have visibility into their SaaS stack — like understanding what they’re used for and who’s using them, finding redundant applications, and streamlining SaaS compliance reporting. All of this becomes a single source of truth for IT and security professionals and their organizations.