In January of this year, a SaaS Security Posture Management (SSPM) company named Wing Security (Wing) made waves by announcing a free SaaS-Shadow IT discovery solution. A cloud-based company was invited to keep track of her employees’ SaaS usage through a completely free, self-service product that operates on a “freemium” model. If a user is impressed with the solution and wants to gain more insight or take remedial action, they can purchase Enterprise her solution.
“In today’s economic realities, security budgets have not necessarily been cut, but buyers are much more cautious in their purchasing decisions, and rightly so. We cannot secure what we do not know. We believe that knowing should be a fundamental commodity: once you understand the scale of a SaaS attack layer, make informed decisions about how to solve it. Discovery is a natural and fundamental first step that should be accessible to everyone,” said Galit Lubetzky Sharon, co-founder and CTO of Wing.
The company saw more than 200 companies join them within the first few weeks of launch. Free self-service discovery tool, adding to the company’s existing customer base. they recently A short report on the findings From the hundreds of companies that have revealed their use of SaaS, and the numbers are worrying.
Visible risks due to expanded use of SaaS
At 71.4% of companies, employees have an average of 2.4 SaaS applications compromised in the last three months. On average, his 58% of SaaS applications are used by only one of her employees. His quarter of his SaaS users in the organization are external users. These figures, along with other interesting data, appear in the company’s report, along with an explanation of why we believe this to be the case and the risks to consider.
SaaS use is often decentralized, difficult to manage, and its benefits can also pose security risks if not managed. An IAM/IM system helps an organization give an employee control over some of her SaaS usage, but this control is limited to sanctioned her SaaS applications that IT/security is aware of. Limited. The challenge is that employees often onboard her SaaS applications without involving IT or security teams. So this is SaaS Shadow IT. This is especially true of many of her SaaS applications that don’t require a credit card or offer free versions.
A common scenario is when employees, often remotely located, are looking for a quick solution to a business problem. Often the solution is an application that employees have granted permissions (read and write permissions, and sometimes even execute) to an application they found online, and then completely forgot about. This can lead to some security risks.
SaaS-related risks can be categorized into three types:
Application related
Examples include dangerous applications with low security scores. This indicates that these applications are likely vulnerable. Also, an application that was recently compromised but has access to an organization’s data will soon compromise that data. As a free solution, Wing attaches a security score to each detected application and warns users about risky applications in their SaaS stack.
Other examples of the risks that SaaS applications inherently pose include third-party SaaS applications that “piggyback” from known and approved SaaS. Or a rarely granted, highly privileged application: According to Wing, 73.3% of all privileges a user gave to an application were not used in more than his 30 days. This leaves the door open to your org’s data if you’re not using an application that’s requesting it.
User related
The human factor cannot be ignored. After all, SaaS is often onboarded directly by the employees who use it. They are the ones who grant permissions, but they are not always aware of the meaning behind those permissions. Again, Wing’s free solution can help. For the first 100 of his applications found, Wing provides a list of users using them. To get complete information about who your users are, external users, and inconsistent user behavior across applications, Wing offers an enterprise edition.
Data related
The risks associated with data security are enormous, and there are entire categories of products that address them, such as DLP and DSPM. However, when it comes to SaaS applications used by employees, data-related issues are sensitive files shared in applications not intended for file sharing, shared in public channels (Slack being a common example) It can extend to sensitive files and even large amounts of data. Employees forget files shared externally, leaving that external connection wide open. Maintaining a clean SaaS environment involves not only maintaining applications and users, but also managing the information that exists within and between these applications.
In conclusion, as the use of SaaS applications continues to grow rapidly, SaaS-Shadow IT discovery has become a key area of concern for IT and security teams. SaaS applications offer many benefits to your business, but they also pose significant security risks if not managed. These risks include use of compromised applications, excessive permission grants, user mismatches, and data security issues.
In order to make informed decisions and take corrective actions to mitigate these risks, it is critical that organizations have visibility into their employees’ SaaS usage. Expect basic his SaaS-Shadow IT discovery to go free in 2023. It should become a fundamental commodity for organizations looking to secure their SaaS environment.