This past January, a SaaS Security Posture Management (SSPM) company named Wing Security (Wing) made waves with the launch of its free SaaS-Shadow IT discovery solution. Cloud-based companies were invited to gain insight into their employees’ SaaS usage through a completely free, self-service product that operates on a “freemium” model. If a user is impressed with the solution and wants to gain more insights or take remediation action, they can purchase the enterprise solution.
“In today’s economic reality, security budgets have not necessarily been cut down, but buyers are far more careful in their purchasing decisions and rightfully so. We believe that you cannot secure what you do not know, so knowing should be a basic commodity. Once you understand the magnitude of your SaaS attack layer, you can make an educated decision as to how you are going to solve it. Discovery is the natural and basic first step and it should be accessible to anyone.” said Galit Lubetzky Sharon, Wing’s Co-Founder and CTO
The company reported that within the first few weeks of launching, over 200 companies enrolled in their self-service free discovery tool, adding to the company’s existing customer base. They recently released a short report on the findings from hundreds of companies that unveiled SaaS usage, and the numbers are unsettling.
The Tangible Risks of Growing SaaS Usage
In 71.4% of companies, employees use an average of 2.4 SaaS applications that have been breached in the past three months. On average, 58% of SaaS applications are used by only one employee. A quarter of organizations’ SaaS users are external. These numbers, along with other interesting data, are found in the company’s report, along with explanations as to why they believe this is the case and the risks that should be taken into consideration.
SaaS usage is often decentralized and difficult to govern, and its advantages can also pose security risks when ungoverned. While IAM/IM systems help organizations regain control over a portion of their employees’ SaaS usage, this control is limited to the sanctioned SaaS applications that IT/Security knows about. The challenge is that SaaS applications are often onboarded by employees without involving IT or security teams. In other words, this is SaaS Shadow IT. This is especially true for many SaaS applications that don’t require a credit card or offer a free version.
The common scenario is that of an employee, often remote, looking for a quick solution to a business problem. The solution is often an application that the employee found online, granted permissions to (these can be read and write permissions, or even execute), and then completely forgot about. This can lead to several security risks.
SaaS related risks can be categorized into three different types:
Examples include risky applications with a low security score, indicating a higher probability that these applications are vulnerable. And applications that have recently been compromised but have permissions into the organization’s data, immediately compromising that data. In its free solution, Wing attaches a security score to each application found and alerts users to the risky applications in their SaaS stack.
Other examples of the risks that SaaS applications inherently bring include 3rd party SaaS applications, those that “piggyback” off the known and approved SaaS. Or applications that were granted high permissions that are rarely given: According to Wing, 73.3% of all permissions that were given to applications by the users were not in use in over 30 days. This begs the question, why leave open doors into your organization’s data when you’re not even using the application that is asking for them?
One cannot ignore the human factor. Afterall, SaaS is often onboarded directly by the employee using it. They are the ones granting permissions, not always aware of the meaning behind these permissions. Here too Wing’s free solution offers some assistance: For the first 100 applications found, Wing provides a list of the users who use them. For full information as to who the users are, external users and user inconsistent behavior across applications, Wing offers its enterprise edition.
The risks associated with data security are vast and have a whole category of products that deal with them, such as DLPs and DSPMs. However, when it comes to the SaaS applications that employees use, data related issues can span from sensitive files being shared on applications that are not meant for file sharing, secrets shared on public channels (Slack is a common example) and even the massive amount of files that employees share externally and then forget about, leaving that external connection wide open. Keeping a clean SaaS-environment consists not only of maintaining the applications and users, but also managing the information that resides in and between these applications.
In conclusion, SaaS-Shadow IT discovery has become a critical area of concern for IT and security teams, as the usage of SaaS applications continues to grow rapidly. While SaaS applications offer numerous benefits to businesses, they also pose significant security risks when ungoverned. These risks include the use of breached applications, granting excessive permissions, user inconsistencies, and data security issues.
It is crucial for organizations to have visibility into their employees’ SaaS usage to make informed decisions and take remedial actions to mitigate these risks. In 2023, the expectation is that basic SaaS-Shadow IT discovery should no longer come at a cost, as it should be a fundamental commodity for organizations aiming to secure their SaaS environment.