Most organizations have no control over their employees' Software as a Service (SaaS) usage and have no idea on how to control it. This statement might raise a few brows, and be a bit aggravating or surprising, but the data doesn't lie. SaaS-Shadow IT is a real and menacing problem. Let’s take a step back and look at why this is the case.
SaaS applications have been around for a while. We can trace back the first one to the late 90s/early 2000s. The simple yet brilliant idea of offering SaaS easily accessible and often highly user-friendly solutions has really turned the tables on software product consumption. And how it has soared. In fact, Gartner predicts that end-user spending on SaaS will reach $208 billion in 2023.
SaaS made our work easier. Any employee looking to solve a business problem that is hindering their work can simply look it up online. There is probably a SaaS application that can solve it, and it will often come with a free version or trial, so no credit card is needed.
SaaS is great, but it is also completely decentralized in nature and in most cases completely bypasses IT or security policies. Even with an identity and access management (IAM) in place, employees can still find random SaaS online, provide these applications with permissions or tokens, and enjoy a quick fix to their business needs; only to then forget about that application and never once go through the IAM.
In late January, Wing Security made its SaaS discovery tool-free, enabling all organizations to have a full look into their SaaS landscape. Soon after, over 500 organizations enrolled to solve their SaaS shadow IT problems. Here is what we found.
Key findings from hundreds of companies using SaaS Discovery
- Most employees use SaaS applications that were recently breached.
In a staggering 84% of companies, employees were using an average of 3.5 SaaS applications that were breached in the past 3 months. As mentioned above, these recently breached applications probably have access to your organization’s data through the permissions granted to them by the users during the self-onboarding process.
This is the classic and most concerning aspect of SaaS-Shadow IT: If a SaaS application is breached and its user data is compromised, neglecting to know your SaaS technology stack can have serious consequences. The worst-case scenario is hackers accessing your company’s most sensitive data through lateral movement, using the breached application.
- SaaS applications are given permissions to access company data, then never used again.
76% of all permissions that were given to applications by the users were not in use for over 30 days. The higher the permissions granted, the more access and – in time – the more control the receiving SaaS will get into company data. SaaS applications normally require some level of “read” and “write” permissions to deliver the service they promise. These permissions vary between applications and in many cases, do not require the intervention of an admin. The more applications, the larger the attack surface.
- Over half of the SaaS connected to your data is used by just one employee.
On average, 55% of SaaS applications are used by only one employee, raising questions about their necessity and making it highly unlikely that they were known and approved by the security team. This data point also shows the ad-hoc nature of most SaaS applications: They are an accessible, easy and quick fix to a current business problem and forgotten immediately after.
- People outside the organization have access through SaaS applications.
20.5% of SaaS users are external to the organization. That’s one in every five employees and I think we should let that sink in. These are contractors, freelancers or agencies that collaborate with various employees or teams at the company. These external users receive access to the organizations’ SaaS applications in order to better collaborate, but while you might have some level of control over your own employees’ security education, and you can enforce company policies on them, external users are a whole different ball game.
Companies can no longer stay in the dark when it comes to their SaaS security. Getting on top of a company’s SaaS usage is a basic need that leaders need to prioritize. Once the SaaS attack layer is uncovered, proper analysis and remediation can begin. I’d argue that those should be simple so as not to burden the already busy security and IT teams.
While SaaS usage is not slowing down, and for good reason, it is also out of control when it comes to security. With more companies using cloud-based technologies, I suspect the data we collect from the next 500 companies will not be much different. SaaS is the new security frontier and in order to win, visibility into SaaS usage is the crucial first step.