A Look Back
At the turn of the century Software as a Service (SaaS) applications hit the market, the first being a customer relationship management (CRM) platform, which in hindsight seemed highly risky. The thought of housing an organization’s sensitive customer data “in the cloud” – in the 90’s – is one that would easily be dismissed by most business leaders. We all know that this gamble later proved to be a sound investment (you know who they are!).
In the early days, SaaS applications were certainly better suited for the startups and SMBs of the world. The enterprise preferred to keep things on-premises, within the confines of their own data centers. At the time, the thought of lift and shift, and folding in SaaS apps was probably not even on the radar for most CIOs, for the same reasons outlined above. However, with benefits such as multi-tenancy, lower maintenance costs and high reliability, the SaaS snowball was well on its way to huge growth.
Fast forward through the next couple of decades: the dot com boom happened, followed by the recession and more recently the global pandemic. These significant events coupled with major improvements in technology created necessary change for the way that we do business. Organizations turned to ‘as a Service’ solutions (i.e. infrastructure, platforms, desktop and applications among many others) as a means to become more agile, productive, and drive down cost.
Today, there’s much less reliance on on-premises infrastructure, and more confidence in the cloud to the point that even the biggest enterprise organizations are migrating their business critical applications. Adoption continues to soar and it's fair to say that SaaS has become ubiquitous. According to BCC Research, the global SaaS market for business applications should total $94.9 billion by 2022 from $44.4 billion in 2017, at a compound annual growth rate (CAGR) of 16.4% within the same timeframe.
So What About Security?
Like any technology that enables the business, security cannot be an afterthought. It was critical back then and even more critical now. The downstream effects can very easily create more problems for the business, quickly overshadowing the benefits that in this case, SaaS applications promise to deliver.
Securing and controlling the access to all the identities and entities within the organization is critical to maintain business continuity. Security teams must create and manage users at the identity level, assigning permissions and entitlements to each user’s various identities and services. Only the appropriate amount of access should be assigned for each specific user, and solutions need to be flexible enough to allow access or share out assets on-demand to avoid security tools from becoming a blocker to business enablement.
Next, a secure connection needs to be established to enable users to connect to systems and applications from various endpoints and devices. Today, many organizations rely on Zero Trust Network Access (ZTNA) to broker secure access to applications and disallow lateral movement within the IT estate. Even with Identity Provider (IDP), ZTNA and other security tools in place, it's not enough to provide comprehensive protection across the application estate.
Throughout last year, organizations worldwide used an average of 110 SaaS applications – that number is much higher for organizations of a larger size, and the percentage growth rate for smaller sized organizations exploded from years prior. There’s a scalable problem facing every organization using SaaS to reshape their business. The more applications you have, the less able you are to monitor, control, and have visibility throughout the environment. These applications are so deeply ingrained into business processes, but there’s no way to consistently enforce data access control policies across the applications being utilized with traditional solutions in the market.
A Look Forward
Customization and openness have been and will continue to be a big reason for the positive trend in SaaS adoption and utilization. As more providers become platform-oriented, more organizations will customize them to meet their specific organizational requirements. SaaS applications need to be flexible, deliver (and enhance) the features their consumers demand, and at the end of the day provide an amazing end user experience to remain relevant in a very crowded market.
Today, organizations share sensitive information as part of the normal course of doing business – but it's very easy for that information to be overshared. Governance is much more challenging in the world of SaaS when compared to traditional on-premises environments. For example, files that are uploaded and shared in Slack remain accessible to anyone unless the files are actively deleted. Even if the user’s account is deleted, the files can still remain accessible. In the example of Box, if a file is distributed to the entire organization through a shareable link, it's near impossible for the IT team to track down who has access. Having visibility over “who has access and to what” should be table stakes.
The same customization and openness should be provided by your SaaS security vendors. Being able to provide granular, data access control policies and govern access to a wide variety of SaaS applications is a requirement in today’s landscape. As SaaS application platforms become more customized, the more challenging it is to secure data access – and that challenge becomes compounded with the more applications being leveraged.
With Great Power Comes…A Shared Responsibility
Just as is with the cloud, securing SaaS is a shared responsibility. Providers are responsible for ensuring the security of their platforms, but there is an onus on the organization consuming the service to protect themselves from data overexposure and exfiltration, as well as cyber breaches and attacks. DoControl is here to partner with organizations of all sizes and types to help them establish a strong SaaS security posture. Organizations consuming SaaS applications and services that are critical to run their business need to ensure they are doing so in a secure way.
Request a meeting to assess your own SaaS application risk, or if you’re not ready, download our report that benchmarks unmanaged data access risk so you can assess your own threat landscape.