Shadow IT has long been recognized as a major concern for organizations regardless of their size or industry. The loss of IT and security teams’ control over the technologies their employees use results in various and significant security risks. This is ever more true for cloud-based companies. The exponential growth in SaaS application usage has created a new and significant concern: SaaS-Shadow IT, the lack of visibility and understanding of an organization’s SaaS usage.
The need for SaaS discovery became especially evident as soon after launching our free, self-serve SaaS discovery solution, over 200 companies quickly enrolled. Despite being a SaaS security platform, even we were taken aback by the extent of the SaaS security issue.
The data clearly points to a complete loss of control over SaaS. The majority of SaaS applications employees use are completely outside of security control, or even knowledge. The following are key takeaways from the many companies who onboarded to our free SaaS Discovery solution.
1) Your employees are likely using a SaaS application that was recently breached.
In a staggering 71.4% of companies, employees were using an average of 2.4 SaaS applications that were breached in the past 3 months.
- The risk: This is probably the most classic example of the severity of Shadow IT in SaaS. Knowing what applications you are using is the first step in securing them. If a SaaS application is breached, and its user data is compromised, neglecting to know your SaaS technology stack can have serious consequences. The worst-case scenario is hackers accessing your company’s most sensitive data through lateral movement, using the breached application.
- Why does this happen: This occurs because of the decentralized and ungoverned nature of SaaS applications. When an employee needs a quick fix to a problem or a tool to help them do their job, chances are they will “Google it” and find a SaaS application, often a free one or with a free version, to help them. These “quick fixes” often completely by-pass company procedures. It is important to keep in mind that as small and benign as an application may seem, it can still be connected (with high permissions) to one of the organization’s major SaaS applications such as Salesforce, Slack, Zoom and others.
“In a staggering 71.4% of companies, employees were using an average of 2.4 SaaS applications that were breached in the past 3 months.”
2) Most of the SaaS applications connected to your data are not in use.
73.3% of all permissions that were given to applications by the users were not in use for over 30 days*.
- The risk: The higher the permissions granted, the more access and – in time – the more control the receiving SaaS application will get into your data. SaaS applications typically require some level of “read” and “write” access to function properly. These permissions vary between applications and in many cases, do not require the intervention of an admin. The more applications, the larger the attack surface.
- Why does this happen: In a way, this is similar in nature to checking the “I have read and agree to the terms and conditions” checkbox. When an employee needs a quick fix, they need it now. And ensuring all employees are always educated, aware and cautious with how they use SaaS applications is a near-impossible task.
3) Most of the SaaS applications actively connected to your data are used by just one employee.
On average, 58% of SaaS applications are used by only one employee, raising questions about their necessity – and making it unlikely that they were known and protected by the security team.
- The risk: This means that most of the SaaS applications that gain permissions and tokens into your organization’s data have probably not been approved by IT or security and are only used by one person in the organization.
- Why does this happen: This too is closely tied to the decentralized nature of SaaS usage. SaaS can easily be adopted without the involvement of your IAM or IM and many SaaS applications do not require SSO. It is not usually the large, corporate-approved applications that you need to be concerned about, but rather, random solutions with high permissions that were granted by an uninformed employee.
4) People outside your organization have access through your SaaS applications.
We found 25% of SaaS users to be external to the organization. These are contractors, freelancers or agencies that your employees work with and have received access to your SaaS applications.
- The risk: These are the same applications that, as mentioned above, have access to your organization’s data. While you might have some level of control over your own employees’ security education and you can enforce company policies on them, external users are a whole different ball game.
- Why does this happen: Many of the popular SaaS applications are collaborative by nature. They allow different users to work together, often simultaneously, on the same project. Many SaaS applications also offer easy communication features that are widely popular and have public channels integrated into their offering. While SaaS is great for productivity, it has to be maintained and controlled.
“Some organizations had as many as 90 risky SaaS applications.”
5) The average organization has dozens of risky applications, with high permissions.
In most companies, we see a high 3-digit number of SaaS applications in use. This can be anywhere between 200-900 applications, depending on company size, technology adoption, policies and industry. On average, we found that 10% of these applications are considered “risky” and yet have high permissions into the company’s data. Some organizations had as many as 90 risky SaaS applications.
- The risk: A risky application is defined as such due to a list of relevant criteria such as: Has it been breached? Is the company private or public? Do they have security and privacy compliances? And more. The risk in this case ties in to the first findings we presented here. When an employee knowingly provides high permissions to an application that was recently breached, and/or does not have relevant compliances and/or comes from a company of 3 people somewhere in a foreign country, the risk really presents itself.
- Why does this happen: Same as mentioned above. Lack of employee awareness coupled with security and IT’s lack of control over the organization’s SaaS usage.
Discovering Your SaaS Usage Is The Vital First Step
All the risks mentioned above can be reduced and, in many cases, fully avoided by taking proper measures. However, it is impossible to secure your SaaS usage without having a clear and comprehensive view of what is happening in your SaaS environment. Questions such as which applications have been granted permissions, by whom, if they are safe and necessary and who has access to them must be answered in order to implement effective remediation measures.
At the forefront of SaaS security, Wing Security recognizes the importance of understanding the extent of the problem before taking action. Thus, we have made the decision to offer our powerful SaaS Discovery engine to the public for free. This has had a significant impact and continues to do so. Our aim is to provide full visibility and empower individuals to make informed decisions regarding SaaS security.
* This was found in companies that connected their Google workspace to Wing Security
