As a result of the COVID-19 measures, business leaders are focusing on maintaining employee productivity – with little time for the typical due diligence that would usually be applied. Unfortunately, this is the reality of the world we currently live in, but we are all in the same boat for the foreseeable future.
The impact of our current normal varies greatly. How a business had to react is heavily influenced by how the organisation operated before the current crisis. Some organisations were highly mobile already and simply needed to enable the remaining staff that were office-based. Other businesses had to change the way they work entirely, sometimes having to ask employees to go out and purchase laptops due to limited company resources and challenges with the global device supply chain.
No matter what the situation was before COVID-19, the new reality has led to an unplanned spike in SaaS usage, causing concern among IT decision-makers. The concern is justified, but there is a way to manage and prevent any risks associated with the surge in SaaS. If we break down the challenges, we can see common themes and solutions.
SaaS Sprawl
Your IT teams’ job is to maintain order of your technology ecosystem and to ensure the right resources are available to empower workers to do their jobs while keeping the business running. In the current climate, companies and their employees are focused on working the best they can – with the right tools, or not. As a result, many IT teams face a variety of potentially risky scenarios:
Departments are purchasing software and expecting IT teams to pay the bill. This, of course, happens even at the best of times, but leaders are now under more pressure than ever to enable their teams
Employees are subscribing to SaaS application without IT approval. Not only is the spend uncontrolled but any sensitive data held in these apps is untracked and could lead to a potential security breach
Employees are signing up to free trials without considering security and with little consideration for how they will get the data out of the application once the complimentary trial period is over
Compliance has fallen to the bottom of the list, either because these concerns aren’t completely understood or because employees are out of their routine.
Building a new normal
The surging use of SaaS is becoming a hardware and a software issue. Now that of the initial impact and change is hopefully subsiding; it is time to establish a new foundation for IT. This means IT teams must:
- Identify and account for any new devices employees have purchased to work from home
- Work with employees to make sure all devices, old and new, are updated with the latest software
- Identify any new software and SaaS apps that employees are using, and conduct due diligence to investigate costs and security
- Build and issue an approved list of SaaS tools and applications for employees’ use to ensure compliance
Once IT teams have a grasp on the new landscape, they must dig deeper into the SaaS applications in use. As the teams discover new vendors in the corporate estate, the following checklist of questions can be used to understand the potential risks associated with the software:
- Who owns the data that is entered into the application?
- How is data segregated and protected?
- Who has access to this data?
- How is identity verified?
- What backup and restore process exists and when was it last tested?
- What happens if there is a data breach?
- What happens when the contract ends?
Hidden SaaS Exposures
While SaaS applications are easy to purchase and use from day one – it can be challenging to stop using such applications. Once the new SaaS applications used by employees are identified, IT teams must investigate and mitigate any potential exposures.
Not all exposures are harmful. If we take Zoom, for example, users can use the video conference tool for up to 40 minutes per call for free. However, if the use of Zoom becomes ingrained in company culture, chances are pretty good that the business will consider buying it a year from now. However, Zoom has recent experienced issues with security and privacy, and despite the fact the company has been very active in trying to quickly address these problems, UK Government organisations have been advised to block the use of the app.
Furthermore, if we look at Box or Dropbox or even Microsoft Teams – it’s a hassle to get any data back out of these platforms. This isn’t something users consider upfront. Exiting these kinds of SaaS agreements can be tricky, so IT leaders should read the T&Cs carefully.
Free versions of SaaS applications also have potential data sovereignty issues. While GDPR has a specific clause that requires a right to request data deletion, some vendors may clearly state that data deletion is only for the paid subscriptions. This could set businesses up for painful compliance issues down the road.
These strange and uncontrollable circumstances we find ourselves in are challenging for everyone right now, both personally and professionally. Business leaders’ top priority, and rightly so, is to keep the business functioning. While short term goals are the current focus, companies must keep an eye on the long term too. SaaS applications are a great tool to help employees be as productive as they can from anywhere, but IT teams must keep track of what tools are being used, both new and old, while remembering there’s no such thing as a free lunch.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.