Our recent 2020 State of SaaSOps survey found that organizations use an average of 80 SaaS applications, which is a 10x increase in SaaS apps since 2015. We’ve also found that enterprise organizations generally have twice as many SaaS apps. It’s clear that shadow IT and SaaS sprawl is bigger than any IT administrator is currently aware of.
That’s why it’s critical to look at hidden risks of unauthorized SaaS apps, and how to limit risk to remain in compliance with security policies. Here’s how you can get started.
Opportunities and hidden risks of SaaS sprawl
SaaS transformed and continues to revolutionize how we work. By providing employees in organizations of all sizes and across all business functions with the latest technology, SaaS is now integral to an agile and productive workplace. And it’s easy for any employee to spin up a new account without regard to risk.
Meanwhile, it’s just as easy for them to speed past initial permissions that give access to user information and data, then sign in on behalf of the user within other cloud apps. Most people quickly click the “agree” button and don’t give it a second thought.
Nearly all of us are guilty of this: We simply grant permissions to the app without taking the time to understand the risks and the implications of that agreement.
Obviously, using unauthorized SaaS apps means trouble from a security and compliance perspective. Users are generally unaware of the security risks that lurk in SaaS apps.
For example, without monitoring app permissions your users grant, how is that app data stored? Is stored unencrypted? Is it encrypted while in transit?
Beyond unencrypted data, there are other hidden risks of SaaS.
For example, you have no idea what that unauthorized SaaS app integrates with in your domain. You don’t know its permissions to read or write data. You can’t control data loss, either. Nor can you prevent leakage of potentially sensitive information.
In addition, data stored in an unauthorized SaaS app isn’t part of company backup processes, so it can get lost. Finally, if your business needs to be compliant with any laws or regulations, you can’t prove compliance if you don’t know where your data is located.
Five steps to limiting the risks of unauthorized SaaS
Managing and limiting the risks of unauthorized SaaS applications is a tall order. But here are a few steps that you can (and should) take immediately.
- Take inventory of your SaaS apps. After all, you can’t manage what you can’t see.
- Audit permissions that employees granted to unauthorized SaaS user accounts. Remember that the more users you have, the more apps you have. So chances are good there’s some murky app permissions in your environment.
- Compare permissions to your established data governance that defines who within an organization has authority and control over data assets and how those data assets may be used. It encompasses the people, processes, and technologies required to manage and protect data assets.
- Monitor app usage to eliminate and prevent duplicate unauthorized SaaS accounts and app functionality. Work with business functions to standardize on SaaS apps with corporate-approved options. This will help reduce the need for employees to use them in the first place.
- Build awareness around app security. Regularly train employees on the importance of understanding app permissions, and following your established data governance and security policies.
These steps are a good start, but how do you ensure that you’re consistently in compliance? And how do you stay on top of any unauthorized SaaS apps that are in (or could be added to) your cloud-based environment?
Stay in compliance by discovering unauthorized SaaS
The best way to stay up-to-date and continually discover unauthorized SaaS apps is to use an all-in-one SaaSOps platform, like BetterCloud. In a single platform, BetterCloud provides all the functions an enterprise needs to discover, manage, and secure all of the SaaS applications, users, and data across your digital workplace.
BetterCloud Discover gives IT teams full app visibility around employee SaaS adoption and deep insights into the scope of sanctioned and unsanctioned applications running within the company’s environment. Additionally, IT departments improve operational efficiency by using auditable spend reporting, which helps teams eliminate redundant applications and reclaim unused licenses for redistribution. Finally, by leveraging new insights on SaaS usage, Discover helps IT and security teams consolidate control over their environment and help mitigate risks in their current security posture.