In today’s business reality of increasingly distributed workflows that allow employees to work remotely and facilitate external collaboration with contractors, partners, customers, and others, software-as-a-service (SaaS) solutions are steadily gaining traction in nearly every industry and all phases of business operations. SaaS solutions make work more efficient. But there’s a downside, too. This growing dependence on cloud-based software means data is being stored outside the corporate perimeter, increasing company exposure to a growing cyber threat that many executives either don’t recognize or don’t know how to address.
Those who understand the SaaS marketplace are undoubtedly familiar with Gartner’s prediction for market growth: Spending on SaaS solutions is projected to rise from just over $100 billion in 2019 to more than $138 billion by 2022. So the problem of unmanageable data access due to the pervasiveness of SaaS applications is just getting bigger over time.
Consider a hypothetical wherein Acme Enterprise hires Top Tech, a technical services provider, to perform a custom integration of Acme’s infrastructure stack. The project goes as planned, but afterward, Acme neglects to turn off Top Tech’s access to its systems and doesn’t even know exactly what access Top Tech has. Acme is running a risk that someone at Top Tech will take advantage of this opening and secretly exploit it.
Alternatively, even if Top Tech’s integrity is beyond question, Acme is still vulnerable to exploitation of Top Tech by bad actors. If a single Top Tech endpoint is breached, the takeover of that Top Tech account can serve as a springboard for the attacker to make the jump over to Acme’s networks and data. Acme has no influence over Top Tech's security program, which may or may not meet Acme's requirements. By allowing Top Tech's access to Acme's company data to persist, Acme is subject to potential data breaches suffered by Top Tech's employees.
With all the external collaboration that is commonplace today, once a project is delivered, it’s not unusual for the company to fail to return to the SaaS applications employed in the project and remove company data that’s been shared or shut down access privileges for external parties. Or when a SaaS application has an ongoing use beyond the project lifecycle, it’s often still accessible to ex-employees, contractors no longer working for the company, former partners and others who have no legitimate reason to access the data. So the apps become a point of vulnerability, both externally and internally.
The SaaS applications security issue is not unique, of course. It’s part of the larger data protection discussion that has been the source of ongoing tension between those responsible for security and those focused on business enablement. While those on the business side want to go about their jobs without being stalled by security precautions, the security team knows that vulnerabilities can undermine the entire corporation with just one major breach. So how does the security team combat this?
One of the basic tenets of corporate security has been the least privilege standard – that is, an employee, contractor, vendor or third-party partner should be given only the essential access privileges necessary to fulfill their assigned duties. Embracing the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application that has unwarranted permissions assigned to it. By limiting access through least privilege, attackers successfully breaching corporate security will be able to make fewer lateral moves within the corporate IT environment, reducing the likelihood that they will be able to have free reign within the corporate perimeter.
Least privilege is a logical and valuable approach, but as workflows become ever more distributed and the number of parties needing access to essential systems has exploded, it’s become an administrative nightmare to handle manually. Requesting permission from the security team for access results in a bottleneck for the business side, and the security team doesn’t have an easy way of determining what access should be granted, what sources are relevant, for how long the access should be allowed, etc. And once access is no longer needed, shutting it off can be a cumbersome manual process that often goes neglected.
Without automation, there is no way to scale a least privilege model, which means that as the company’s SaaS portfolio and reliance on external resources grow, least privilege devolves from a policy to little more than an aspiration. This is the point at which IT and security teams should be saying, “There’s got to be a better way.” To which we respond, “There most certainly is!”
DoControl offers automated, self-service tools to quickly establish and terminate least privilege parameters at scale. The three components of the DoControl platform empower IT and security teams to boost security throughout the organization without limiting business enablement:
Now companies can avoid the manual processes they’ve struggled with in the past to manage data access and use one platform to identify and remediate vulnerabilities arising from growing reliance on SaaS applications.
DoControl reduces the workload and complexity for the security and IT teams, but it also encourages everyone in the organization to protect vulnerable data. All employees become part of the security equation, driving business enablement and encouraging a collaborative and frictionless security culture.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
Just as is with the cloud, securing SaaS is a shared responsibility. Providers are responsible for ensuring the security of their platforms, but there is an onus on the organization consuming the service to protect themselves from data overexposure and exfiltration, as well as cyber breaches and attacks.
In this blog we are going to focus on three of the most widely adopted SaaS applications, based on revenue and growth, as well as just general popularity. We will highlight the pitfalls and security gaps (note: these apps are not inherently insecure!), and how DoControl can help deliver a single, unified strategy to SaaS application security and reduce the risk of both data exfiltration and cyberattacks.