The rise of software-as-a-service (SaaS) applications has been a boon to companies small and large. Gartner notes that spending on SaaS solutions is projected to rise from just over $100 billion in 2019 to more than $138 billion by 2022. SaaS pay-as-you-grow pricing models have allowed enterprises to flex as needed and pivot quickly to meet new business demands without making large capital investments. This may involve scaling rapidly, tapping third-party service providers, distributing workflows across geographic regions, enabling bring-your-own-device (BYOD) policies, or any combination of these and other familiar operational strategies.
The challenging part of all this SaaS agility falls on the chief information security officer (CISO)/security team and/or the chief technology officer/IT team tasked with protecting the company’s networks and assets from security breaches. To them, the flexibility of SaaS is a whole lot of unmanageable access that leaves many open doors to data exfiltration. Storing data in SaaS applications means you’re storing data outside of your organization’s perimeter, leaving protection of the data entirely dependent on the security measures the SaaS providers has implemented. For the SaaS customer, that’s a boatload of risk.
Many companies use identity providers like Okta to create users and permissions. Then they rely on VPN or more modern zero trust solutions to secure remote connections. After that, the employee is in and has access to the library of SaaS apps included in the specific security policy that has been assigned to the given worker.
Here’s where the security challenges start to branch out. Workers with access share extensively, both externally and publicly, to drive business enablement with external partners. They may also share with their own private accounts. External collaborators may do that, as well. Over time, vendor contracts expire and employees leave the company… but does their access to corporate systems stop? Maybe. Maybe not.
In the typical company, getting a handle on unmanaged access leads CISOs and IT organizations to pit security against worker productivity. To protect corporate assets, leadership may choose unpalatable endpoint hardening solutions that severely limit end-user freedom to access applications and data, frustrating workers who rely on a broad range of applications in order to fulfill their job responsibilities. Endpoint hardening can even be configured to prohibit all external sharing, which significantly harms business enablement and adds a ton of friction for end users who simply want to do their job and get things done.
To favor business enablement, liberal security policies make it extremely difficult and labor-consuming to track who has access to what, especially for companies trying to do it manually. Reviewing permissions with spreadsheets every month, writing scripts to check for outdated permissions, tracking which employees have left the company are time-intensive activities that require constant attention, and, most concerning, distract the team managing corporate security from addressing immediate threats across other security verticals (endpoint, infrastructure, mobile, corporate, etc.). Add in managing access for vendors who are no longer under contract and monitoring employees granting access to corporate assets from their personal accounts, and security teams are in an untenable position.
Fortunately, DoControl has the answer. DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation. We take a unique, customer-focused approach to the challenge of labor-intensive security risk management and data exfiltration prevention in popular SaaS applications.
By replacing manual work with automation, DoControl reduces the overload of work and complexity that Security and IT teams have to deal with every day. What’s more, DoControl involves all employees as part of the security equation to drive business enablement and encourage a collaborative and frictionless security culture.
Three main components comprise the DoControl solution:
Visibility and automation are the keys to managing your company’s SaaS applications data access. Face it -- your company needs its SaaS applications. There’s no way around them. If you’re going to have a lot of data residing outside of your security perimeter, you need a partner dedicated to reducing that risk and making it operationally feasible. DoControl covers your SaaS.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
Just as is with the cloud, securing SaaS is a shared responsibility. Providers are responsible for ensuring the security of their platforms, but there is an onus on the organization consuming the service to protect themselves from data overexposure and exfiltration, as well as cyber breaches and attacks.
In this blog we are going to focus on three of the most widely adopted SaaS applications, based on revenue and growth, as well as just general popularity. We will highlight the pitfalls and security gaps (note: these apps are not inherently insecure!), and how DoControl can help deliver a single, unified strategy to SaaS application security and reduce the risk of both data exfiltration and cyberattacks.