The growing number of enterprise software-as-a-service (SaaS) applications has led to more complexity and increased security risks within organizations.
These were among the results of a survey from Axonius, which focused on SaaS usage among enterprises across the United States, the United Kingdom and Europe.
Despite a sharp rise in the use of SaaS, most organizations reported that security lagged in urgency and priority, even though the increase in applications resulted in more complexity and increased security risk to their organizations.
Six in 10 survey respondents had ranked SaaS security fourth or lower on their list of current security priorities, while just over a third (34%) said they were worried about the costs associated with rising SaaS-based app usage.
“In short, SaaS solutions can operate completely outside of the purview of information security,” said Gary Brickhouse, chief security officer at cybersecurity firm GuidePoint Security. “With nothing more than a credit card, a department can implement a new application, add sensitive company data or use weak authentication—all of which bypass the established controls in your environment.”
The Problem With SaaS Sprawl
He explained that this can result not only in risks to sensitive data and other information security concerns but also cause regulatory, compliance and contractual issues.
Brickhouse says one of the most fundamental needs of IT and information security teams is knowing where data resides and what controls are in place to protect it.
“The ease with which SaaS sprawl can subvert both objectives makes an already strenuous job even more difficult,” he said. “To combat this, IT and information security teams are spending more time and effort trying to maintain and improve visibility for SaaS usage across the organization.”
Ratan Tipirneni, president and CEO at Tigera, a provider of security and observability for containers, Kubernetes and cloud, said security teams lack both visibility and control over which SaaS services their users are subscribing to.
“Additionally, security practices can vary broadly across SaaS vendors,” Tipirneni said. “SaaS companies can now be located anywhere in the world.”
He added that there is a lack of uniformity and governance over security processes and noted that data gathered by SaaS vendors can be hosted anywhere—in other words, security teams lack controls.
“Most users use the same password across SaaS services, which creates a weak security posture,” he added. “Finally, it provides an increased number of attack vectors.”
Tipirneni says this complexity overtaxes security IT professionals because it is impossible for security teams to keep track of all the SaaS services—every SaaS vendor has very different security practices.
“In addition, governance is missing and doing due diligence on SaaS vendors is very hard and time consuming,” he explained.
Tipirneni said the pandemic has unleashed a new wave of SaaS companies that are attacking niche opportunities and pushed the SaaS industry toward becoming global, with companies springing up in remote corners of the world.
“Centralized security controls will not work,” he noted. “You will need to design security controls for a distributed workforce.”
A Security Model For a Distributed Workforce
He said that Google’s BeyondCorp provides a great reference architecture for how to think about a security model for a distributed workforce, adding that they were “clearly ahead of the curve”.
Looking into the future, Tipirneni said the issue of SaaS sprawl and security will evolve and that consolidation in the industry will simplify this problem.
“Security will become an important buying criterion when selecting a SaaS solution,” he said, adding there will be more emphasis on security certifications.
Brickhouse agrees with Tipirneni that the pandemic, and more specifically the remote workforce, resulted in a movement toward and massive adoption of SaaS solutions.
“As the ability to do business face-to-face was no longer an option, companies had to adapt to solutions that enabled communication and other core business functions,” he said.
Where the distributed workforce is now the new normal, the need for SaaS applications to allow for more connectivity and collaboration will continue.
“While this can be beneficial for the business, it will continue to create challenges for IT and information security teams responsible for these environments as they struggle to bring about centralization, standardization and visibility across disparate remote teams,” he said.
Brickhouse added that SaaS sprawl is going to continue as the number of solutions is growing and the business demand is also increasing.
“Companies want to continue to take advantage of the benefits offered by SaaS,” he pointed out. “So, as SaaS sprawl grows, so does the need to know what those applications are, who has access to them, what data is in them and what controls are in place to protect them.”
This means IT and information security teams need to continue to push for better visibility into the organization’s SaaS usage.
Brickhouse said this can happen through better, more centralized intake processes that allow for IT and information security teams to vet the applications before they are purchased and deployed.
“This can also happen by utilizing solutions designed to discover unknown SaaS applications in use,” he added. “Fortunately, the technology is readily available and can provide instant visibility across your environment.”