Shadow IT has long been recognized as a major concern for organizations regardless of their size or industry. The loss of IT and security teams’ control over the technologies their employees use results in various and significant security risks. This is even more true for cloud-based companies. The exponential growth in SaaS application usage has created a new and significant concern: SaaS-Shadow IT, the lack of visibility and understanding of an organization’s SaaS usage.
The need for SaaS app discovery became especially evident as soon after launching our free, self-serve SaaS app discovery solution, hundreds of companies quickly enrolled. Despite being a SaaS security platform, we were taken aback by the extent of the SaaS security issue.
The data clearly points to a complete loss of control over SaaS. The majority of SaaS applications employees use are completely outside of security control, or even knowledge. The following are key takeaways from the many companies who onboarded to our free SaaS app Discovery solution.
1) Your employees are likely using a SaaS application that was recently breached.
In a staggering 84% of companies, employees were using an average of 3.5 SaaS applications that were breached in the past 3 months.
- The risk: This is probably the most classic example of the severity of Shadow IT in SaaS. Knowing what applications you are using is the first step in securing them. If a SaaS application is breached, and its user data is compromised, neglecting to know your SaaS technology stack can have serious consequences. The worst-case scenario is hackers accessing your company’s most sensitive data through lateral movement, using the breached application.
- Why does this happen: This occurs because of the decentralized and ungoverned nature of SaaS applications. When an employee needs a quick fix to a problem or a tool to help them do their job, chances are they will “Google it” and find a SaaS application, often a free one or with a free version, to help them. These “quick fixes” often completely by-pass company procedures. It is important to keep in mind that as small and benign as an application may seem, it can still be connected (with high permissions) to one of the organization’s major SaaS applications such as Salesforce, Slack, Zoom and others.
2) Most of the SaaS applications connected to your data are not in use.
76% of all permissions that were given to applications by the users were not in use for over 30 days*.
- The risk: The higher the permissions granted, the more access and – in time – the more control the receiving SaaS application will get into your data. SaaS applications typically require some level of “read” and “write” access to function properly. These permissions vary between applications and in many cases, do not require the intervention of an admin. The more applications, the larger the attack surface.
- Why does this happen: In a way, this is similar in nature to checking the “I have read and agree to the terms and conditions” checkbox. When an employee needs a quick fix, they need it now. And ensuring all employees are always educated, aware and cautious with how they use SaaS applications is a near-impossible task.
3) Most of the SaaS applications actively connected to your data are used by just one employee.
On average, 55% of SaaS applications are used by only one employee, raising questions about their necessity – and making it unlikely that they were known and protected by the security team.
- The risk: This means that most of the SaaS applications that gain permissions and tokens into your organization’s data have probably not been approved by IT or security and are only used by one person in the organization.
- Why does this happen: This too is closely tied to the decentralized nature of SaaS usage. SaaS can easily be adopted without the involvement of your IAM or IM and many SaaS applications do not require SSO. It is not usually the large, corporate-approved applications that you need to be concerned about, but rather, random solutions with high permissions that were granted by an uninformed employee.
4) People outside your organization have access through your SaaS applications.
We found 20% of SaaS users to be external to the organization. These are contractors, freelancers or agencies that your employees work with and have received access to your SaaS applications.
- The risk: These are the same applications that, as mentioned above, have access to your organization’s data. While you might have some level of control over your own employees’ security education and you can enforce company policies on them, external users are a whole different ball game.
- Why does this happen: Many of the popular SaaS applications are collaborative by nature. They allow different users to work together, often simultaneously, on the same project. Many SaaS applications also offer easy communication features that are widely popular and have public channels integrated into their offering. While SaaS is great for productivity, it has to be maintained and controlled.
Discovering Your SaaS Usage Is The Vital First Step
All the risks mentioned above can be reduced and, in many cases, fully avoided by taking proper measures. However, it is impossible to secure your SaaS usage without having a clear and comprehensive view of what is happening in your SaaS environment. Questions such as which applications have been granted permissions, by whom, if they are safe and necessary and who has access to them must be answered in order to implement effective remediation measures.
At the forefront of SaaS security, Wing Security recognizes the importance of understanding the extent of the problem before taking action. Thus, we have made the decision to offer our powerful SaaS Discovery engine to the public for free. This has had a significant impact and continues to do so. Our aim is to provide full visibility and empower individuals to make informed decisions regarding SaaS security.
* This was found in companies that connected their Google workspace to Wing Security