We examined the risks of identity sprawl across 46 unique enterprises, constructing a SaaS-Identity fabric and found that every organization is affected by the ever-expanding growth of SaaS and identity decentralization.
Every day, employees are using SaaS and creating a new, dynamic identity perimeter that is the top target of attacks. This creates an identity sprawl problem that is growing bigger every day. Grip secures your enterprise identity perimeter.
We examined the risks of identity sprawl across 46 unique enterprise SaaS-Identity attack surfaces and found that every organization is affected by the ever-expanding growth of SaaS and identity risks — from missing controls, security gaps, policy dodging, and basic inherent risk to identities in SaaS relationships.
In this series, SaaS Stats, we will explore what we found. And you can too.
Enterprise SaaS Estate
The explosion of SaaS adoption has led to unprecedented identity sprawl with some employees creating hundreds of SaaS accounts over the time. Most of these accounts are created with just an email and password, and this has now become the new perimeter for the modern enterprise. Identities are assets, not people. Identity assets are entrusted to people we call “users”. As users spread identities everywhere, it enables the ability to identify, analyze, and secure those identities, whenever and wherever SaaS is used. By examining how SaaS is consumed by identities, organizations can get a panoramic view of their SaaS-Identity attack surface. And even if the initial results are overwhelming (with an average of 2,762 apps), securing that SaaS estate can be simplified by focusing on identity — carrying security controls and policies and protections into SaaS relationships. This is a Grip trick that enables security teams to protect more than they can touch; centralizing controls and decentralizing enforcement.
Contextual Identity Risk
According to Gartner: “In an environment with assets everywhere and access from anywhere, identity and context have become the ultimate control surface”. We agree. Upon examining the context (SaaS) and identities in SaaS relationships, we can develop what Gartner calls “the ultimate control surface”. However, many traditional controls have fallen short, not because of ineffective tech or tooling for identities, but because the context changed. Most identities consume most SaaS services outside the direct control or oversight of IT and security teams. In fact, KPMG has estimated that 85% of SaaS services will be business-led SaaS — characterized by business groups identifying, sourcing, and servicing their own SaaS services and apps, outside the direct control of IT.
With this context-change in mind, you can see how we found 97 unique SaaS services with missing controls and a SaaS Identity Risk Index (SIRI) of less than 50. Risk is compounded when several missing controls occur together, enabling exploit chains from eroded traditional gateways like single sign-on (SSO), multi-factor authentication (MFA), password rotation, justified use/authorization, and dangling access. This is an emergent phenomenon, made possible by entrusted users spreading identities to tools to get their job done and a strategy that intends decentralized responsibility for SaaS in the organization.
Past, Present, and Future
One of the key aspects of Grip’s discovery is taking the historic perspective, looking back through time to pinpoint SaaS-Identity relationships and track their use to the present day. Additionally, Grip’s continuous discovery captures new SaaS coming into the environment via identity assets (username, email). While a person’s permitted use of a corporate identity, 72% of identities will fall into risky SaaS relationships. But, by maintaining a steady view on the SaaS-Identity attack surface, security teams can safeguard identities without disrupting business-led IT strategies or user choice.
Enterprise security depends on identity security. In today's digital enterprise, identity threats are on the rise, and the need for robust security measures to protect enterprise identity assets has become essential. Identities are assets, not people — and identity assets are uniquely entrusted to custodians we call “users”. The challenge for identity security is to enable protection for identities whenever and wherever users take them, shielding identities from exploit and toxic combinations that are key targets for cybercriminals.
Grip User Access Reviews
Grip’s mission is to empower every security team to safeguard identities and SaaS services — customers and clouds, employees and websites, partners and portals, users and apps — anyone and anything. Grip SSCP discovers, graphs, and checks your SaaS identity attack surface and mitigates SaaS-Identity risk with automated workflows and simple integrations across the security ecosystem. With Grip, organizations can safeguard identities, whenever and wherever SaaS is used.
Here, we will spotlight one of Grip’s key features in Report Center, User Access Reviews: on-demand insights to streamline compliance, reporting, and mitigate identity risks — anywhere, everywhere, and on-demand.
Compliance-driven User Access Reviews
Validate compliance with standards and regulations with timed, scheduled reporting to know which SaaS are used, by who, and which security mitigations are working.
On-demand Access Awareness
Get complete visibility to SaaS with exposures to specific assets, automatically prioritized based on the highest risk, accessibility, and impact of compromised access.
Respond to Threats, Anywhere and Everywhere
Identify usage of breached or compromised SaaS services, relevant to your organization based on continuous discovery, pivoting to similar SaaS services or those susceptible to SaaS lateral movement — validating protection for all identities, whenever and wherever SaaS is used.
Dissect User Access Like Never Before
Get insight from out-of-the-box reports calibrated to key SaaS types, assets, and capabilities across all users — including SaaS services with risky functions like file sharing, financial data, and privacy risks to sensitive data. Cross-reference SaaS with exposures to specific assets and users engaged with those apps, including authentication methods used and missing controls. Remove duplicate SaaS functions and capabilities by pinpointing key capabilities shared across SaaS, reducing duplicative SaaS and reining in identity sprawl.
Supercharged Operational Efficiency
Track real-world SaaS usage, pinned to groups associated with one or multiple SaaS services, including billing, payments, and administrative business units. Carve out the riskiest identity-SaaS relationships with one-click visibility to dangerous and toxic combinations of SaaS and identity exposures before they become exploits. Harness on-demand reporting and search queries across the enterprise SaaS layer, or schedule time-based reports for compliance attestation to be always audit-ready.
Grip empowers security teams to impact more than they can touch; giving them a panoramic lens to discover their unique identity fabric and the power to infuse security to identities to achieve secure outcomes whenever and wherever their organization’s identities are used.
That’s why leading organizations choose Grip for universal identity security in every SaaS connection — past, present, and future.