Okta recently launched its annual “Businesses at Work” Report, which highlights the most popular application categories, top-performing and fastest growing apps, the “best tools for the job,” and much more. Okta prides itself on the over 6,500 application integrations they support for their customers to manage and secure user authentication, as well as for developers to build identity controls into apps, website web services and devices. The report standardized a rather significant cluster of data across their 17,000 customers of both small businesses and larger enterprises. As a result, Business at Work serves as an excellent benchmark that provides trends and observations across some pretty compelling categories.
DoControl is hyper focused on securing business-critical Software as a Service (SaaS) application data. With that in mind, we peeked into the report to expose some of the key findings that were more data-centric in nature. SaaS applications generate massive amounts of data, some of which is sensitive and privileged information (i.e. trade secrets, proprietary info, financials, etc). One of their primary use cases in leveraging SaaS is to bring agility to speed for consumers of the service, that way they can drive business enablement and go-to-market faster. From the report:
“Some companies find they are best served by double bundling — deploying more than one productivity suite — and it’s a trend that’s on the rise. This year, 42% of Okta’s Microsoft 365 customers also deploy Google Workspace.”
There’s an obvious redundancy in the functionality that productivity suites are bringing to the business, but it certainly allows for better collaboration; especially between contractors, third parties, partners, customers and more who all use different tools to be productive. However from a security perspective, this is adding to the problem of security becoming more and more decentralized. The amount of SaaS data that becomes accessed, shared, and manipulated by internal and external users becomes unmanageably high – especially for midsize and enterprise organizations. Modern businesses need a unified approach to protect user access and ensure data is not overexposed to the wrong groups, domains and users.
Categories such as content collaboration and video conferencing — which were strong performers in the report from last year — continued to grow. From there report:
“21% YoY for content collaboration apps by number of customers, and video conferencing grew 19% YoY by number of customers.”
While some companies have gone back into the office, many remain in a hybrid or fully remote structure. These two categories are undoubtedly the primary business enablement tools for most companies. If IT and security teams really dug into it they would quickly recognize they have a data management and overexposure problem – and that is mainly driven by the applications within this specific category. The fact is there’s a lot of content generated within these applications – and some of which is highly sensitive. Access controls need to be in place to enable and revoke access (i.e. least privilege), as well as ensuring password protection on sensitive files based on user’s identities. There’s a misconception that sensitive data only exists in static format – think about a Zoom meeting – it's very common for people to share sensitive information over Zoom compared to jotting it down and sharing it via email. These recordings should be password protected, as well as the text-based files that are generated (i.e. the dialogue should be scanned for PII to mitigate the risk of data leakage).
The trend of BYOD strategies continues to rise, and the confluence between work life and personal life are well underway. The report states:
“25% YoY customer growth as corporate environments increasingly support bring-your-own-device (BYOD) policies.”
BYOD is now the de facto standard, and the commingling of personal applications on corporate sanctioned devices (and vice versa) is also becoming the norm. Adoption rates of BYOD are more than half for computers, tablets, and smartphones, with no signs of slowing down. Organizations need a way to ensure that all these personal devices — whether owned by third-party contractors, vendors, or employees — are not introducing risk. Moreover, there is a need for additional layers of access controls to support BYOD strategies, which is not the case with many traditional CASB solutions and other alternative proxy-based approaches. Implementing security controls should have no bearing on which devices users are leveraging to connect to the applications and access data.
Zero Trust went from the marketing buzzword of choice to a practical reality for most modern businesses. One of the pillars of Zero Trust is “never trust, always verify” – especially at the initial point of access. As traditional network perimeters evaporate, “identity” has become the new security perimeter. Identity security controls should be driven by context cues and access policy configurations to support Zero Trust strategies. The report shows:
“80% of all organizations say Identity is important to their overall Zero Trust security strategy, and an additional 19% go so far as to call Identity business critical.”
Identity security is core to Zero Trust, however the concept of Zero Trust is something you aim to achieve, it can never be fully realized. To better align with the guiding principles of Zero Trust security needs to go beyond the identity, device and network layer.
There's an undeniable shortage in IT and security professionals in the market today. There is also a stark reality of having to deal with an overwhelming set of manual tasks to uphold organizational security, enable their remote work staff, onboard and offboard users, so on and so forth. From the report:
“Tech leads in the number of live accounts deploying workflows and ranks second for workflows per live account with an average of 38. Professional services, which boasts an average of 30 workflows per account, comes in second. Manufacturing, financial services, and banking finish close behind at No. 3 and No. 4, respectively, by number of live accounts.”
Automated workflows that are simple to configure and implement are becoming table stakes in order for IT and security teams to navigate their workloads effectively. Companies across all industry verticals are adopting workflows that automate processes at scale without the need to write any code. When it comes to SaaS application and data sprawl, the use of automated security workflows is necessary in order to effectively scale with the business and avoid technical debt.
Strong Identity controls are often at the center of many organization's security programs. These controls need to be applied across complex ecosystems; maximizing security as threat models rise and emerge, while driving automation to give precious time back to IT and security teams. Security cannot stop at the Identity level, it needs to go further down the stack. Going further down the technology stack means focusing on the lower levels of the technology infrastructure that form the foundation upon which higher-level applications and services are built. You can't build a great building on a weak foundation. Learn more about DoControl’s approach to security automation for business-critical SaaS applications.