SaaS management: fighting the proliferation of SaaS

Adoption of enterprise software as a service (SaaS) is growing – with global end-user spend growing over 40% to $170 billion in 2022 – and it’s not hard to see why. As businesses embrace new work paradigms, SaaS applications offer an agile and flexible way to provide employees with the functions they need, when and where they need them.

Unfortunately, this flexibility is a double-edged sword; SaaS application networks can grow rapidly, faster than IT teams can keep up.

If companies can’t get their sprawling SaaS application networks under control, they risk security breaches and financial disruption. Yet many companies fail to properly manage SaaS applications. Some IT teams are intimidated by the seemingly tedious process of auditing and mitigating SaaS risks.

Others may not understand the risks associated with SaaS applications and may not set aside the resources needed to manage them effectively. Even though IT and security teams take steps to manage and secure SaaS applications, the solutions they put in place to mitigate these risks are often insufficient, as they tend to have “blind spots” that can lead to critical oversights.

There are four key SaaS management challenges that put businesses at risk. It’s important for IT and security teams to understand these challenges, compare their shortcomings to traditional solutions, and develop a strategy to address them. As a result, they will be better equipped to take full advantage of all the benefits of SaaS applications.

The 4 Biggest SaaS Management Challenges

1. Data propagation

SaaS applications can quickly connect to each other to form a sprawling network – and data flows quickly from one application to another. Thanks to the prominence of open APIs in popular SaaS apps like Salesforce, almost any app can connect to others in some way. While this provides great convenience, it’s also a major liability for IT and security teams. If you don’t know where sensitive data is going, or where it has been, how can you guarantee it is secure?

Employees contribute to proliferation by storing data in unauthorized locations. If your company uses Box for storage, but an employee insists on using Google Drive, that’s a whole new stream of data to manage — and that’s assuming the IT team even knows what Box is doing. employee.

1. Phantom SaaS

In an ideal world, employees would ask permission from IT before installing and activating SaaS applications. Unfortunately, in the real world, employees regularly integrate new SaaS applications without permission, allowing unverified third parties to access sensitive data. While the network of SaaS applications that IT is experiencing is already overwhelming, it is only a fraction of the full network. In fact, up to 50% of a typical organization’s SaaS footprint can be unknown to management.

As you might expect, shadow SaaS complicates the process of tracking and securing data. Unauthorized applications do not go through the normal IT verification process, which amplifies the risks. If a single SaaS application mismanages data and violates regulations such as GDPR or HIPAA, the entire organization is now responsible. To make matters worse, if finance teams can’t identify shadow SaaS license fees, it translates to untraceable expenses that quickly add up.

2. Security and Misconfiguration Risks

Since SaaS applications are highly adaptable, they have a large number of settings and configurations. Unfortunately, this means apps can be misconfigured and put sensitive business data at risk. IT teams often work hard to make every configuration perfect at launch, but over time, day-to-day use often results in settings changing. So to speak, misconfigurations of SaaS applications are a day 2 problem, when it’s easy to assume that the hardest work is done after day 1.

There are real consequences of misconfiguring apps, and it’s a widespread problem: a recent Cloud Security Alliance Survey found that up to 63% of organizations had experienced a security incident as a result of a SaaS misconfiguration in the past year. In the worst case, the wrong settings can make sensitive data publicly available. Each individual license must also be properly configured with the correct privileges. If lower-level employees are given admin-level licenses, the risk of an insider threat increases dramatically, along with the risk of well-meaning employees mistakenly exercising admin privileges.

3. Excessive and inefficient SaaS spending

Given the subscription-based model of most SaaS licenses, small recurring costs add up over time. Unfortunately, many companies waste huge amounts of money on unapproved or unnecessary SaaS licenses each year – and often have no idea it’s happening.

As mentioned earlier, Shadow SaaS is a significant cost for many organizations, but even permitted SaaS applications can incur unnecessary expense. Compartmentalized decision making means companies often approve licenses for multiple applications that serve the same purpose. Administrators are also prone to human error, such as duplicating licenses, failing to cancel licenses tied to former employees, and granting licenses to staff who do not need them or who do not is not allowed to use them.

Importance of a single point of truth

Companies that understand the cloud waste challenges mentioned above are often eager to mitigate the risks of SaaS applications, but the strategies they choose tend to fall short. There are a few popular tools that solve some SaaS management issues; these include Cloud Access Security Broker (CASB) tools, SaaS Security Posture Management (SSPM) tools, and SaaS Management Platforms (SMP).

Each of these tools provides critical SaaS information, but often cannot provide the complete picture. For example, CASB tools monitor the use of cloud services, but this is often limited to SaaS applications known to IT departments. This means that the SaaS shadow remains hidden, along with all the liabilities that come with it. While implementing multiple tools can allow each to compensate for each other’s blind spots, integrating them brings new challenges and responsibilities.

Rather than trying to use many tools for the sake of completeness, CISOs and CIOs should instead strive to implement the simplest possible solution that provides three critical aspects of understanding: breadth, depth and context.

Lenght is the ability to discover every SaaS application in your network, as well as every type of shared data, and how that data moves from one application to another.

Depth requires finding misconfigurations, potential malicious behavior, and other easily overlooked information.

The context is to analyze how users, SaaS applications, devices and services interact with each other.

In order to achieve breadth, depth, and context for better SaaS management, enterprises need a single source of truth, which requires administrators to have:

  • A “snapshot” of all the facts about a company’s SaaS application network. This includes a full inventory of applications (authorized and phantom SaaS); a complete list of settings and configurations for each application; and the employee and privilege level associated with each license.
  • A way to track business data in motion. This includes the ability to identify users and user devices that interact with each cloud application; how each application stores and uses the data it obtains; and how users are onboarded and logged out of each application.

Creating a management strategy

Of course, understanding the state of your company’s SaaS network is only useful if your company can act on this truth. Your IT team must be prepared to recognize and neutralize any threat or anomaly that arises. It requires teamwork across IT, finance, operations, legal, and security teams. Therefore, this cannot be a one-department initiative, but rather a company-wide goal to be pursued.

Implementing a comprehensive solution will likely have a beneficial ripple effect throughout an organization. It will be:

  • Enable finance and business operations teams to track license usage, minimize costs and intercept potential risks.
  • Enable legal and security teams to track the flow of data and protect corporate reputation.
  • Encourage employees to become more responsible because they know their use of the SaaS application is being monitored.

IT and security teams must have proper SaaS management on their roadmaps because it’s the only way to avoid major liabilities as SaaS applications become increasingly important to a distributed workforce. . By removing unnecessary risk and cost, IT and security teams can make the remote workplace safer and enjoy the convenience of SaaS applications, without the risk. SaaS is only going to get more complex, so it’s imperative to have a solid strategy in place as soon as possible.

Comments are closed.