Would it surprise you to learn that as many as 15,000 external collaborators working at over 3,000 different companies may be able to tap into your intellectual property residing in SaaS applications?
We know this is true because at DoControl, we see it first-hand. Working with companies to secure their SaaS applications and control their unmanaged SaaS data access reveals a lot about how out of control SaaS data access really is. That’s why we wrote the report Quantifying the Immense Risk of Unmanaged SaaS Data Access.
How Much Unmanaged SaaS Data Access is Too Much?
The companies we work with typically have between 500,000 and 10 million assets stored in SaaS applications. For those that allow external sharing through SaaS apps, 18 percent of their SaaS assets are shared externally.
Does 18 percent sound insignificant? Well, that 18 percent figures out to between 90,000 and 1.8 million assets exposed to external parties.
Such exposure stems from the complicated threat landscape propagated by SaaS deployments. Think about it: Every organization uses SaaS applications for business development, sharing SaaS assets with internal and external parties. At DoControl, we know how huge the problem of unmanaged SaaS data access is. We’ve categorized the risk companies face into seven distinct threat types, and those threat types span the spectrum of individuals or companies with access to any number of an organization’s SaaS assets.
With the power of statistical models and real-world data, we’ve developed an index of SaaS data exposure. We call this the SaaS Data Exposure Profile. Each company accumulates a unique risk profile as mapped across these seven threat types and the number of SaaS subscriptions they use. The SaaS Data Exposure Profile is a quantification of a company’s risk.
Different scenarios can occur within each threat type, and each poses a different risk to companies using SaaS applications. For example, within the scope of external threats, a company might share SaaS assets to legitimately collaborate with a third-party entity they trust. These entities can be contractors, customers, prospects, analysts, media, or partners to name a few. This close collaboration seems like an acceptable risk.
But the external threat risk is amplified in that when an organization shares SaaS assets with a trusted third party, it’s likely that the third-party vendor has a handful of fourth-party contractors they trust with your SaaS assets. Oh, and by the way, of the companies we’ve analyzed, external collaborators have access to an average of roughly 235,000 of a company’s assets. How many of those would you want in the hands of a fourth party?
By sharing assets with external collaborators who are sharing assets with their external collaborators, the risk increases geometrically. And the ability to control data access on a single project that has branched out from first to third to fourth party gets very complex very quickly. Appropriately enough, we call this threat type third-party sharing to fourth parties.
On average, the companies DoControl has analyzed that allow external sharing have data that has been exposed to 42 fourth-party domains!
What Do I Do About My Org’s SaaS Data Exposure?
Once our POV team at DoControl has analyzed a company’s unique SaaS data and asset exposure, we arm that company with the resulting SaaS Data Exposure Profile.
Once their IT and security teams have that (generally, fairly upsetting) index of their SaaS data exposure, they have a baseline to measure their remediation efforts against and greater insight into where they should prioritize their remediation work.
Check out this representation of a SaaS Data Exposure Profile.
We’ve touched on the External Sharing threat type, but you’ll note that the index above mentions six more threat types. Tune into our blog each week for deeper explorations of the risk and threat types we measure for in our SaaS Data Exposure Profile indices, such as:
It’s evident that the SaaS data exposure risk landscape is convoluted, complicated, and really tough to get a good view of. We implore you to investigate your SaaS data exposure profile by contacting us to get started on assessing the state of your SaaS data access.