May 2, 2024
May 2, 2024
SaaS security ought to be a major priority for every organization. The widespread adoption of SaaS applications without IT oversight has led to a significant surge in unmanaged SaaS risks, presenting a complex security challenge. But just how extensive is the issue of SaaS sprawl, and what are the resulting risks to SaaS security?
Software as a Service (SaaS) presents both organizational opportunities and challenges. While SaaS technology offers efficiencies for employees, for security teams, SaaS introduces security risks akin to herding cats: difficult to control with many logistical challenges, AKA “SaaS sprawl.”
While SaaS sprawl isn't a new concern, the rising threats certainly are. This article explores the state of SaaS security and the hurdles that SaaS sprawl poses, and presents tips for managing your SaaS identity risks more effectively. Let’s dive in.
The SaaS market thrives on customer demand—organizations pursuing heightened productivity, cost reductions, and enhanced operational efficiency, to name a few common use cases. According to Statista, SaaS adoption is growing at a staggering rate, with the global market projected to reach $232 billion in 2024. The average company's SaaS portfolio has swelled to 371 apps, a whopping 31% spike in just two years. But while the number of apps skyrockets, user adoption often falls by the wayside. Shockingly, over half of those app licenses sit idle, practically begging cyber intruders to sneak in through forgotten or abandoned accounts.
According to Gartner, by 2027, 75% of employees will acquire, modify, or create technology outside of IT’s visibility— up from 41% in 2022. Unauthorized SaaS applications, known as "Shadow IT," pose significant security risks, as the apps themselves were initiated outside of IT’s purview and may not have appropriate security controls in place, not to mention that most app trial accounts require only a username and password. 80% of data breaches stem from weak or reused passwords. When employees start their own SaaS subscriptions, the responsibility for creating (and updating) strong passwords falls on the employee, leaving security teams to hope for the best regarding their choices.
Employee churn is inevitable. Involuntary separation. Layoffs. Employees moving on— churn is a fact of professional life in every organization, although how much varies significantly by company and industry sector. The US national average for employee turnover is 17%; however, with the economic downturn and recent onslaught of layoffs, we saw hundreds or even thousands of employees abruptly departing in a single day. The potential for zombie accounts grows exponentially in these scenarios. When SaaS subscriptions are initiated outside IT’s knowledge, the accounts linger on from gaps in identifying their existence, and subsequently, not shutting them down after the employee has left. In a study by Salt Security, 54% of respondents indicated zombie accounts are a high concern— cited as one of their top API security concerns.
Research on gaps in offboarding SaaS access shows that 31% of employees still have access to a former employer’s software accounts—an open invitation for malicious activity from a disgruntled employee or a bad actor taking advantage of orphaned accounts. So why not close the gaps?
Ponemon research cites that only 36% of organizations have visibility into the level of access and permissions that both internal and external users have, and 59% do not revoke credentials when appropriate. If you’re struggling with your SaaS security, identifying and revoking user access, you’re not alone— it’s problematic for many organizations.
The Identity Defined Security Alliance 2022 Trends Report showed that 84% of organizations experienced an identity-related breach in the last year. But here’s the kicker: 96% of those organizations said the breach could have been prevented or minimized had they implemented an identity risk management solution.
Employees are choosing the tools they want and need to perform their jobs, which means more apps, more shadow IT, and more identities exist today than ever before. Unless SaaS identity risk management practices also evolve, more SaaS identity breaches will occur. Visibility into SaaS usage is not a nice-to-have; it's table stakes, given our current SaaS environment.
You don't have to be the one contributing to the stats and numbers mentioned in this article; you can take proactive steps to tackle SaaS sprawl and reclaim control over your organization's SaaS risks. Since accounts can originate and be accessed virtually anywhere, managing identities becomes your primary leverage point. Identities are assets, not individuals. By implementing policies for each identity, you empower yourself with controls and safeguards every time that identity is used. Developing an identity security framework is a good first step.
Identities are assets, not individuals.
Developing an effective identity security framework requires a comprehensive understanding of your organization's unique needs, challenges, and objectives. To begin:
Security teams must assess the risk associated with the extent of control a SaaS service holds, whether it’s a specific functionality or a control shared across multiple SaaS solutions (like file sharing or OAuth grants). Understanding the capabilities of each SaaS platform allows security teams to prioritize their efforts based on the potential impact or 'blast radius' of an attack if a SaaS service or its connected identity is compromised.
The final step in protecting users from identity exploits involves standardizing enforcement across the board. AI-powered enforcement allows for the dynamic application of security policies to SaaS services. Whenever an identity accesses a SaaS service, even during initial signup, security teams can immediately apply a protective plan according to the inherent risk of the identity, the context of the app, and aligned with the predefined policy for identity-SaaS relationships.
Malicious actors look for orphaned and abandoned accounts. Because they fly under IT’s radar, zombie accounts are easier to exploit. Given the hefty price tag if the bad actors are successful, gaining visibility into your shadow IT and rogue accounts should rank high on the to-do list for all organizations. And Grip is dedicated to jumpstarting your SaaS security success.
Uncover your organization’s hidden SaaS risk and identity security gaps with a free SaaS identity risk management assessment. Let our team show you which authentication methods employees use to access SaaS tools, who is using shadow SaaS apps, where idle SaaS licenses exist, and pinpoint former employees who still have access to your software and systems. Book your free assessment now.
Gain a complete view of your SaaS usage—including shadow SaaS and rogue cloud accounts—from an identity-centric viewpoint. See how Grip can improve the security of your enterprise.
Fill out the form and we’ll send you our Datasheet.
Give us a test drive.
Fill out the form and we’ll get in touch with you.
Fill out the form and watch webinar's video.
