A Look Back
At the turn of the century Software as a Service (SaaS) applications hit the market, the first being a customer relationship management (CRM) platform, which in hindsight seemed highly risky. The thought of housing an organization’s sensitive customer data “in the cloud” – in the 90’s – is one that would easily be dismissed by most business leaders. We all know that this gamble later proved to be a sound investment (you know who they are!).
In the early days, SaaS applications were certainly better suited for the startups and SMBs of the world. The enterprise preferred to keep things on-premises, within the confines of their own data centers. At the time, the thought of lift and shift, and folding in SaaS apps was probably not even on the radar for most CIOs, for the same reasons outlined above. However, with benefits such as multi-tenancy, lower maintenance costs and high reliability, the SaaS snowball was well on its way to huge growth.
Fast forward through the next couple of decades: the dot com boom happened, followed by the recession and more recently the global pandemic. These significant events coupled with major improvements in technology created necessary change for the way that we do business. Organizations turned to ‘as a Service’ solutions (i.e. infrastructure, platforms, desktop and applications among many others) as a means to become more agile, productive, and drive down cost.
Today, there’s much less reliance on on-premises infrastructure, and more confidence in the cloud to the point that even the biggest enterprise organizations are migrating their business critical applications. Adoption continues to soar and it's fair to say that SaaS has become ubiquitous. According to BCC Research, the global SaaS market for business applications should total $94.9 billion by 2022 from $44.4 billion in 2017, at a compound annual growth rate (CAGR) of 16.4% within the same timeframe.
So What About Security?
Like any technology that enables the business, security cannot be an afterthought. It was critical back then and even more critical now. The downstream effects can very easily create more problems for the business, quickly overshadowing the benefits that in this case, SaaS applications promise to deliver.
Securing and controlling the access to all the identities and entities within the organization is critical to maintain business continuity. Security teams must create and manage users at the identity level, assigning permissions and entitlements to each user’s various identities and services. Only the appropriate amount of access should be assigned for each specific user, and solutions need to be flexible enough to allow access or share out assets on-demand to avoid security tools from becoming a blocker to business enablement.
Next, a secure connection needs to be established to enable users to connect to systems and applications from various endpoints and devices. Today, many organizations rely on Zero Trust Network Access (ZTNA) to broker secure access to applications and disallow lateral movement within the IT estate. Even with Identity Provider (IDP), ZTNA and other security tools in place, it's not enough to provide comprehensive protection across the application estate.
Throughout last year, organizations worldwide used an average of 110 SaaS applications – that number is much higher for organizations of a larger size, and the percentage growth rate for smaller sized organizations exploded from years prior. There’s a scalable problem facing every organization using SaaS to reshape their business. The more applications you have, the less able you are to monitor, control, and have visibility throughout the environment. These applications are so deeply ingrained into business processes, but there’s no way to consistently enforce data access control policies across the applications being utilized with traditional solutions in the market.
A Look Forward
Customization and openness have been and will continue to be a big reason for the positive trend in SaaS adoption and utilization. As more providers become platform-oriented, more organizations will customize them to meet their specific organizational requirements. SaaS applications need to be flexible, deliver (and enhance) the features their consumers demand, and at the end of the day provide an amazing end user experience to remain relevant in a very crowded market.
Today, organizations share sensitive information as part of the normal course of doing business – but it's very easy for that information to be overshared. Governance is much more challenging in the world of SaaS when compared to traditional on-premises environments. For example, files that are uploaded and shared in Slack remain accessible to anyone unless the files are actively deleted. Even if the user’s account is deleted, the files can still remain accessible. In the example of Box, if a file is distributed to the entire organization through a shareable link, it's near impossible for the IT team to track down who has access. Having visibility over “who has access and to what” should be table stakes.
The same customization and openness should be provided by your SaaS security vendors. Being able to provide granular, data access control policies and govern access to a wide variety of SaaS applications is a requirement in today’s landscape. As SaaS application platforms become more customized, the more challenging it is to secure data access – and that challenge becomes compounded with the more applications being leveraged.
With Great Power Comes…A Shared Responsibility
Just as is with the cloud, securing SaaS is a shared responsibility. Providers are responsible for ensuring the security of their platforms, but there is an onus on the organization consuming the service to protect themselves from data overexposure and exfiltration, as well as cyber breaches and attacks. DoControl is here to partner with organizations of all sizes and types to help them establish a strong SaaS security posture. Organizations consuming SaaS applications and services that are critical to run their business need to ensure they are doing so in a secure way.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
We are excited to announce our expansion of DoControl’s integrated technology partnership program to include Datadog. As a leading platform provider for monitoring and security for cloud applications, the integration with Datadog allows security operations teams to have a more holistic view of risk across the mission-critical Software as a Service (SaaS) applications being leveraged to enable business enablement and productivity.
The last time the RSA Conference was a live, in-person event was right before the world as we knew it came to a screeching halt. Every technology vendor did their best to rollout “virtual” events which were in no way comparable to the real thing. Everyone – including all of us here at DoControl – was missing the “human connection.” As a vendor that was “born out of the pandemic,” we were very excited to (for the first time!) meet face-to-face with prospects, customers, peers, partners and more to talk about all things Software as a Service (SaaS) data security.
When it comes to addressing insider risk, security starts within. Protecting sensitive company data from exfiltration and misuse requires a combination of the right people, process, and technology. Managing insider risk and preventing threats to the business is not achieved with any of these pillars individually. Modern businesses require technology that prevents and detects unauthorized access to critical assets; processes to support automated data access remediation; and people that are educated about – and watchful of – potentially risky activity who can course-correct during potentially risky activity. Modern organizations need all three pillars interconnected in order to protect their most critical assets.