SaaS Challenges and Security Risks

SaaS is driving the journey to digital transformation, with cloud application services dominating end-user spending. And by the end of 2023, Gartner predicts that spending for SaaS will top $195 billion. But while SaaS applications create efficiencies and boost productivity — especially for remote teams — the rapid growth of SaaS also brings with it some serious security risks.

The Growing SaaS Security Problem

With so many SaaS apps to choose from, companies are implementing—and often discarding—them so quickly that it’s challenging for IT and security teams to keep pace. And even though most security teams recognize the security risks that the countless configuration settings of today’s apps create, they’re not necessarily doing anything about it.

A recent study found that while 66% of IT and security pros said SaaS apps have increased their security risk, only 21% say they’re concerned about security non-compliance. And that leaves a lot of companies open to threats.

Shadow SaaS—apps that employees use without the knowledge of their security or IT teams—are of particular concern. And rightly so, because 80% of employees admit to using apps that haven’t been approved. As a result, over half of organizations have dealt with data breaches caused by third-party apps or services.

Developing a Comprehensive SaaS Security Strategy

To reduce this risk, more and more organizations adopt a holistic approach to SaaS management—one that addresses both business value and risk management together in one place. This approach helps solve the challenges IT, security and risk teams face by removing silos and providing a big-picture view of the SaaS application landscape, enabling actionable visibility into both data security risks and spend optimization opportunities.

And while that sounds great in theory, a major stumbling block to this approach is how to involve internal stakeholders. Often, internal stakeholders don’t fully understand the concerns behind SaaS sprawl—and the impact it has not only on IT teams but on the overall security and success of the organization.

Despite this, it is possible to successfully raise these issues and gain internal support for SaaS security processes—if you take the right approach to building buy-in.

4 Steps to Drive SaaS Collaboration

Building a case for SaaS security requires open communication and collaboration. Here’s how to make it work:

1. Facilitate SaaS Adoption Discussions

Without open discussions about where and why individual apps are used, it’s impossible to gain complete clarity over the broad use of SaaS across an organization. Ask questions about the essential apps for each team, popular browser extensions and how user and data access are managed for these. Are service level agreements (SLAs) in place to address issues or misconfigurations?

2. Paint the Big Picture

Security and IT teams deeply understand the risks that excess apps can bring an organization—but most stakeholders and employees don’t. That means it’s up to you to highlight the dangers of uncontrolled SaaS sprawl and the impact that a seemingly-innocuous shadow app—perhaps one that someone has innocently downloaded to boost their productivity—could have on the entire organization if not managed correctly.

3. Establish and Enforce SaaS Policies

If your organization doesn’t have a policy around how employees use SaaS, you need one. It’s essential to develop and set the standard for how any new app is onboarded. Be sure to include steps that cover risk assessment, data handling and potential exposure implications, all of which should happen before any new app is connected to the company environment. This company policy should be transparent to all internal stakeholders.

4. Build a Collaborative Review Process

Developing a SaaS strategy isn’t a set-it-and-forget-it process. Continual evaluation is vital to improving strategy effectiveness over time, so plan to review your strategy at least annually. Assess factors like the ability to discover shadow apps, monitor users added to the environment, gain utilization insights and optimize the settings and configurations of any apps, alongside tracking spending trends and potential duplications.

Don’t Allow SaaS to Be Your Cybersecurity Weakness

SaaS isn’t going anywhere anytime soon. And with each application not properly managed, the security gaps only grow wider. But with a collaborative approach to designing and implementing your SaaS security strategy, it’s possible to zoom in on what matters, reduce risk and create an organization fit for the future.

Avatar photo

Amir Ofek

Amir is the CEO of AxoniusX. Prior to Axonius, Amir was the CEO of Alcide (acquired by Rapid7), and CyberInt. Before, he worked at Amdocs, where he served as VP Client Business Executive for the SingTel Group, and as the Chief of Staff to the CEO. He also served as a board director at Gilat Sattelite Networks. Amir was a Captain in the IDF 8200 Unit and hold a BSc. (Cum Laude) in IT Engineering from the Technion and an MBA from INSEAD. When Amir is not working, he enjoys spending time with his wife and their two baby daughters.

amir-ofek has 1 posts and counting.See all posts by amir-ofek