New hybrid work models are causing significant shifts both in where employees work and in how organisations procure technology. In the wake of the pandemic, public cloud spending is booming and forecasts public cloud services will grow another 23% in 2021 to $332.3 billion with software as a service (SaaS) being the largest market segment.
With increased SaaS reliance comes new risk, and organisations are scrambling to shore up security and compliance threats for a more secure future of work.
According to a recent Snow Software survey, report their organisations are moving or have already moved to hybrid work. Much of the recent SaaS growth has been driven by organisations’ need to provide access to applications from anywhere. It’s one important way they are keeping employees productive. The difference between SaaS and traditional, installed applications is installed apps have established mechanisms for controlling access such as application blacklisting (anti-virus), whitelisting and scores of others.
With SaaS, availability and access to unknown applications create many risks. Uncontrolled access is an open invitation to data security risks, possible compliance failures with regulations such as GDPR, HIPAA, PCI and others, not to mention costly application sprawl. Adding fuel to this fire is shadow SaaS, when employees use and/or purchase SaaS software outside of standard processes.
Risks of shadow SaaS
- Data Security: Cybercriminals are quick to take advantage of the shift to the cloud and the common misunderstanding that cloud providers ensure security. The reality is data security is a shared responsibility. It is the responsibility of the SaaS provider to have baseline controls in place to ensure their platform protects your organisation’s data. It is IT’s responsibility to check if the SaaS provider in fact has good security policies in place. If IT is unaware of applications in use, then they are unable to vet the risk of these providers or how they interface with other organisational IT. And, end users need to be responsible by not using common passwords or uploading company/ customer data to SaaS applications without prior approval. The problem is some employees don’t know this, or they choose to disregard it.
- Compliance failure: Another risk is being out of compliance with data privacy regulations. There are a growing number of international and national regulations and failure to comply can result in exorbitant fines. Take HIPAA, for example. Healthcare organisations must obtain a business associate agreement from providers who store, create, receive, maintain or transmit PHI. The business associate agreement provides assurances of how the provider will safeguard PHI data. To obtain this agreement, organisations must know about all applications employees are using that are storing, transmitting, creating and receiving PHI. There are numerous examples of organisations being fined for not assessing provider risk by obtaining a business associate agreement.
- SaaS sprawl: In addition to data security and compliance risks, budget over-runs must also be top of mind for IT and the c-suite. Cloud application sprawl is a common result of shadow SaaS. When individual users sign up to use their own software, redundancies occur, and with individual use licenses, you might not be getting the best financial deal, or you may be out of compliance and run the risk of true-up charges. This has become a much bigger issue with fully remote and hybrid work employees. In the same Snow Software survey, told us their SaaS investment had increased in the last 12 months and nearly half said controlling SaaS sprawl is their biggest challenge.
Three guardrails that reduce risk
Now, end users with access to the internet can sign up for any SaaS application. To reduce risk, but avoid impacting productivity, you should consider implementing guardrails for your organisation.
1. Make it easy for employees to get what they need.
Self-service is the name of the game, now more than ever before. Users are used to going to a central place like the App Store to get what’s needed for their phones. Provide a similar experience for employees to make it easy for them to search for what they need and request a subscription approved by your organisation. By offering employees a place to get their applications, you are removing the risk of redundant software in your environment. Self-service app stores also provide a level of automation to manage licenses. When assigning a license, you can indicate if it goes unused, and the license will be automatically reclaimed.
2. Leverage technology to discover applications in use.
It’s impossible to determine if all the application providers used by your organisation have the right level of security controls in place if you don’t have visibility into all the technologies used across the organisation. Leveraging browser extensions on the user device can help you assess all SaaS applications in use, by the department, and by potential risk. Remember that not all software requires a license and using financial data for software inventory will not capture free application usage. If you are unable to obtain a discovery technology to uncover shadow SaaS, assess who has access to sensitive data (engineering teams, analytics, sales and marketing operations, finance) and talk to some of those users to find out what applications they are using. This information is often found in departmental onboarding documents.
3. Educate and collaborate.
Once you know what applications employees are using, you can take a targeted approach to have conversations about why going outside of policy to use free or licensed applications is risky for the business. In having these conversations, you will also learn about the departments or user’s application requirements and will be better equipped to partner with them on identifying a safe solution to help them be productive.
SaaS use is powering an entirely new style of work, but a failure to proactively govern its use will spin up many new challenges. In response, IT teams need to shift how they work to maximise growing SaaS use while reducing the risks that shadow SaaS brings.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.