History has a way of repeating itself. Blind spots are nothing new.
Remember in the late 90s/early 2000s when employees started accessing corporate data on mobile devices?
It was revolutionary. It changed the way people worked. We were surrounded by headlines like this one from The Economist in 2001: “A Different Way of Working: All Sorts of Companies Are Finding Mobile Internet Technology Surprisingly Useful.”
And then a few years later, people started discovering hidden security risks associated with mobile devices. “Balancing the Risks and Benefits of Mobility,” cautioned ComputerWorld in 2003. “Lost a BlackBerry? Data Could Open a Security Breach,” warned the Washington Post in 2005.
The same thing is happening now today with SaaS. People are rushing headfirst into SaaS, excited to use new collaboration tools and work more productively…
But we’re starting to realize that SaaS apps have significant security risks:
So what are these hidden security risks? Last week, BetterCloud founder and CEO David Politis hosted a webinar on the top security blind spots in your SaaS environment. Don’t worry if you missed it. Here’s a recap.
To watch the entire recording of this webinar, head to https://www.bettercloud.com/monitor/webinar-top-blind-spots/. We highly recommend watching the recording!
First things first: What is a blind spot?
A blind spot is a hidden threat—something you didn’t even know existed. And you have no way to get visibility into it until it happens. That’s why it’s a blind spot.
You don’t know what you don’t know—and that’s not your fault.
Our poll on our last webinar revealed that 78% of IT professionals are just getting started managing SaaS apps or teaching themselves. Not enough time has gone by for there to be official certifications or industry best practices yet. Courses don’t exist in schools. This is all being done through trial and error or word of mouth, which leads us to our next point: You don’t know what you don’t know, and that’s not your fault. We don’t have a foundational level of knowledge yet. It’s not the SaaS vendors’ fault; it’s not your end users’ fault. It’s nobody’s fault.
The 5 stages of learning
You might have seen this learning curve before (or some variation of it).
At the very beginning, when you’re about to learn anything, things don’t seem so difficult. You’re blissfully unaware. Let’s take driving as an example. As you start driving, you gradually become more confident. “This isn’t so hard,” you might think to yourself.
Then something usually occurs (say, spinning out in a snowstorm) and you realize that this is more complex than you thought. At that point, you become very realistic about how little you know, and that can be discouraging. After a while, you achieve mastery, and ultimately, you know it well enough to teach others.
The 5 stages of learning SaaS management
Now let’s apply it to managing SaaS applications.
Blissfully Unaware (You don’t know what you don’t know): “Slack sounds pretty good; everyone’s asking for it. I should deploy it.”
Naively Confident (You think you know, but still don’t know what you don’t know): You deploy SaaS apps, and your users start using it. About 3-6 months in, everyone’s happy, and you’re starting to feel pretty great.
But then these blind spots occur, and that’s when you take this plunge into what we call the “Pit of Sorrow.” For example, maybe half your licenses aren’t being used and you had no idea. Or maybe an ex-employee still has access to your SaaS apps and you had no idea. It is hard to see these coming; that’s why they’re called blind spots.
Discouragingly Realistic (You know what you don’t know): Once you’ve experienced these blind spots, you realize how much you don’t know about managing SaaS apps.
Mastery Achieved (You know it): You’ve mastered managing SaaS apps. You know what the blind spots are; you’ve put processes in place. Very few people have achieved this.
Teaching Others (You know it fully, and you’re helping others learn it): Even fewer people have achieved this. These people are in extremely high demand.
Poll: The majority (56%) of IT professionals think they have 1-3 super admins on average in each SaaS app.
For our first poll question, we asked our audience about their super admins:
The majority thought they had very few (1-3) super admins.
Blind spot #1: Admin permissions
Admin permissions is a major blind spot and security risk.
Most IT professionals think they have 1-3 super admins per SaaS app, but you have way more super admins in your org than you think—guaranteed.
The actual answer that we’ve seen is 13-19 super admins, on average, per SaaS app. It depends on the size of your org, of course, but you should really only have 3-4 super admins, max.
Super admins have, in essence, the codes to the nuclear missiles. Even if they’re not acting maliciously, they still have tremendous amounts of access and power. There’s a lot of risk there. Each additional admin is an additional endpoint to hack. And regulations like GDPR require you to limit admin permissions as much as possible.
Why do so many people end up as super admins? Employees may need super admin rights temporarily to do a single task or project. Many SaaS apps don’t provide enough granular admin roles and controls, so you end up assigning super admin privileges to allow people to do their job. The problem, though, is that those rights are never revoked. Permissions are left open and you end up with way more super admins than you should have. This means you’re not implementing the least privilege model, which is a security risk.
Poll: 76% of IT professionals believe that former employees still have access to their organization’s data.
For our second poll question, we asked our audience about ex-employees and their access to data:
An overwhelming 76% suspected that ex-employees still had access to corporate data.
Blind spot #2: Offboarding
This leads us to our second blind spot: offboarding.
The percentage of ex-employees who still have access to your data is higher than you think. This blind spot speaks to the importance of proper offboarding. If employees aren’t offboarded thoroughly and completely, then they retain data access. And there’s a lot of damage ex-employees can do, particularly if they’re disgruntled (just take a look at the headlines above).
Why does this happen? Because offboarding is a very manual, time-consuming process. It takes a lot of work to truly offboard someone. People put it off, much like chores or taxes, or they just forget to do certain steps. It’s a major blind spot because it’s difficult for IT to know which ex-employees still have access after they’ve left the company.
Poll: 86% of IT professionals think (or aren’t sure if) they have confidential/sensitive data exposed.
For our third and final poll question, we asked our audience about their exposure of confidential data:
Only 14% of respondents felt confident that they didn’t have confidential or sensitive data exposed. The rest (86%) said “Yes” or weren’t sure.
Blind spot #3: Data exposure
>Our third blind spot is data exposure.
And by “data exposure,” we mean more than just files. Data can be leaked through emails, groups, calendars, and more. For example, an external user may have been added to an email distribution list last month for a project. The project’s over, but they are still on that list and continue receiving corporate emails, thus remaining privy to confidential information.
There are many, many places for data to be exposed in SaaS environments. Why does data exposure happen? Because of the sheer power of SaaS apps. The beauty of SaaS is that it drives collaboration (with both internal and external users). For example, in Slack, you can bring in external guests into a single or multiple channels in your domain. However, that’s also where the security risks lie. If they stay longer than they should, that’s a security risk. If they are added to the wrong channel, that’s a security risk.
The whole point of SaaS apps is to open up, share, and collaborate. But it is IT’s responsibility to know about it and control that.
Data exposure can be malicious, but it can also be purely accidental. Often the difference between private and public default sharing settings is one simple radio button (see examples above). All it takes is one wrong click—and data can be exposed. Additionally, if a well-meaning employee shares files with his personal Gmail account, then your exposure points have just multiplied.
Most IT professionals know they have data exposed in some way shape or form. The challenge is: How do you find it? What do you do about it? What kind of data is exposed? Is there enough time in the day to find it and remediate it? This is why data exposure is a critical blind spot.
We only had time to delve into the three most dangerous blind spots on our webinar. For a more detailed discussion of additional security blind spots, download our free whitepaper here: Fixing IT’s Blind Spots: 8 Critical Security and Management Policies to Implement in Your SaaS Environment.
To view all the slides from David’s presentation, click here.
To watch the entire recording of this webinar, head to https://www.bettercloud.com/monitor/webinar-top-blind-spots/.