SaaS Security For Business-Led IT

Shadow IT has a new name. Welcome to the world of business-led IT—it's officially a thing. According to Gartner, Inc. webinar (registration required), almost 80% of organizations reported high value from business-led IT, characterized by business teams identifying and sourcing technology—especially software as a service (SaaS).

At first blush, it may seem like organizations are responding to the Covid-19 pandemic with work-from-home demands. Upon closer inspection, however, we see how the pandemic merely accelerated a path we were already on. Organizations have piecemealed business-led SaaS through exception management and special teams, spinoff digital initiatives and, finally, punctuated with the inauguration of modern work.

Shadow IT vs Business-Led IT

What does this mean for security? The trend away from shadow IT to business-led IT is a paradigm shift for security—replacing the impulse to seek and destroy "rogue" apps with a deliberate approach to safeguard their digital organizations, from police enforcement to safety engineering. This requires unifying the global SaaS attack surface and applying universal, identity-centric protections to adapt to SaaS today and SaaS yet to be adopted—core IT and business-led, sanctioned and unsanctioned, guarded and unguarded.

Today, business-led IT has become an end in itself—accelerating business activities from tactic to strategy. Let's break down the transition from shadow to business-led IT by the numbers and explore the implications of securing the SaaS attack surface.

• Gartner found that up to 36% of technology spend is business-led IT, characterized by business teams identifying and sourcing technology outside of formal IT budgets, selection, procurement and security.

If we follow the money, in 2020, nearly four out of every 10 technology dollars will be spent outside of IT. Clearly, organizations are finding it acceptable for business groups to find, source and support their own technology—especially knowledge workers in highly skilled positions, which have overflowed in recent years.

For security leaders, the trend away from shadow IT to business-led IT is a tectonic displacement, removing the impulse to find, prevent, block and restrict and, instead, taking a conscious and deliberate approach to apply safety to SaaS wherever it is adopted.

Understanding SaaS Security

• According to the Gartner webinar, 76% of organizations report high value from embracing business-led IT strategies. Companies are experiencing value by embracing what was once shadow IT, which is now the intentional and deliberate way to source and support modern work.

For security leaders, this means delivering security "like-a-service" to the organization, especially for business-led SaaS. For example, this can include giving users automatically generated strong passwords that are vaulted and instantly integrated into a single sign-on (SSO) experience. The key is to achieve this without directly managing the SaaS app but extending standard protections upon its creation.

• According to KPMG, by the year 2031, the business-led side of the SaaS attack surface will be four times larger (80/20) than core IT, managed SaaS. Applications managed via business-led strategy will stand at 85%, significantly outweighing and outnumbering core-IT SaaS.

For security leaders, this means delivering security outcomes, not security control. The standard playbook called for solutions to curtail SaaS growth (CASB) and restrict access (IAM), but it is clear the playbook has failed. If the playbook had worked, then the playbook would have worked. It's time to rethink what it means to deliver secure outcomes when the lopsidedness is fully realized and what was once "shadow" is just "standard practice."

The coming tide of business-led SaaS creates new demands and challenges for security teams, and existing solutions just aren't tuned for the character of security in the age of business-led IT and modern work.

• According to SSO Tax, the average license hike for SSO-enabled editions of popular business-led SaaS was 315%. Additionally, applying SSO to every SaaS app (including business-led SaaS) is often too difficult to realize in practice because of the overwhelming scope of cloud apps and services—with a 2019 Netskope report (download required) finding that "enterprises have an average of 1,295 cloud services in use."

Here, we find one of those rare cases of a known and untouched security gap not out of fatalism but the impracticability of realizing secure access to all business-led apps on the SaaS attack surface. Why is that?

First, it is impracticable because the SaaS attack surface is simply too diverse and big to realize secure access to everything, especially business-led IT SaaS. Second, deploying something like Okta for single sign-on (SSO) to all your business-led apps is impractical because it is far too costly to both license SSO-enabled accounts and maintain SSO functionality for all SaaS vendors and identity providers (IdP). Third, onboarding apps and offboarding users is already a graveyard of failed technologies for most security teams—business-led SaaS is a tiger the likes of CASB, IAM and SSPM cannot tame.

Conclusion

Every organization is different, but one thing is certain: Business-led SaaS is growing, evolving and adapting without security in mind—rocketed forward by strategies for modern work. This is what is leading to the outsized share of unsanctioned and unguarded SaaS apps outpacing and outnumbering the domesticated apps sanctioned and guarded behind IT processes and security tools like SSO and CASB.

For the wild herd of business-led SaaS, a new order is called for—one that unifies SaaS security to safeguard business-led SaaS just as tenaciously as core IT SaaS but without interference. Reimagine security's role from law enforcement to safety engineer with a mandate to keep SaaS safe for everyone, everywhere and all the time.

This article originally ran in Forbes, an American business magazine that features articles on finance, industry, investing, and marketing topics.