The adoption of software-as-a-service (SaaS) applications to help accomplish critical business activities has increased substantially throughout the pandemic. Many were adopted as stopgap measures to provide extra support following the quick transition to remote work, but these applications have become embedded in workflows without regard for the challenges related to improperly managed data. If enterprises continue to use these measures as long-term solutions, they must reevaluate their security posture to ensure the protection of their IT estate from unnecessary risk.
To explore these issues and how the pandemic influenced the adoption and utilization of SaaS tools that enable collaboration across the workforce, identity and access management platform maker Okta recently published its eighth annual "Businesses at Work" report. This year's report focuses on the changes seen as businesses around the world continue adapting their workflows as a result of the ongoing effects of the global pandemic.
In light of the trends outlined in the report, it's clear that SaaS application usae needs further discussion to ensure businesses can properly contextualize SaaS data and the risks it introduces to help ensure better, more secure outcomes for themselves and their stakeholders.
Lasting Pandemic IT Trends
One of the lasting pandemic legacies for IT will be the widespread adoption of multiple SaaS solutions that offer very similar features and functionality. While this was likely done to enhance team collaboration for all internal and external users, the by-product is enterprise data spread across a growing number of uncontrolled applications. The overlap is greatest for communication platforms, collaboration tools, file-sharing applications, CRM systems, and development tools.
For example, according to the Okta report, of the enterprises that use Microsoft 365, 45% also use Zoom, 38% also use Google Workspace, and 33% also use Slack. Whether this is an intentional redundancy or an outcome of pandemic-induced shadow IT, organizations need to know where business data is stored and shared to mitigate potential risks. Redundancies in technology and their disparate access controls will only exacerbate the challenge of securing sensitive assets and data shared between internal and external stakeholders.
One positive, however, is the greater emphasis on zero trust. The number of organizations that said they were working on a zero-trust initiative or intended to start one in the near future spiked to 90% in 2021. While organizations leveraging infrastructure-as-a-service (IaaS) understand that cloud security is a joint responsibility between the service provider and the cloud-adopting entity, this is often overlooked when it comes to SaaS applications and data. If the aim is to truly protect data, then extending zero trust to the SaaS data layer — beyond the user, network, and device levels — is necessary. This requires the implementation of least-privilege access to provide and revoke user access as appropriate. But these settings must also be intelligent and granular enough to limit friction between users of these services and the teams that must secure them.
The Scale of SaaS
Unmanaged SaaS sprawl presents significant risk. The "Business at Work" report indicated that the average number of SaaS applications deployed by larger organizations (2,000 employees or more) now sits at a staggering 187. The true scale of the problem becomes clear when one considers the number of users — including employees and external collaborators — that are accessing, manipulating, and sharing potentially sensitive data across 187 individual applications. The challenge of unmanaged SaaS data is further compounded by the additional complexities of access control created by the adoption of tools by multiple vendors. Ultimately, these behaviors create a siloed, complex management model that significantly increases the risk of data overexposure and exfiltration.
SaaS applications now support nearly every critical business function and often ingest the data of partners, customers, and third-party stakeholders. Breaches of these applications and data can create serious problems that range from brand damage to regulatory fines and, in some cases, even bankruptcy — it's a game nobody wants to play. While organizations need to support their workforce with the tools to grow their business, they need to do so in a secure manner.
Securing the Stopgap
The data in Okta's "Business at Work" report underscores the importance of centralizing the security of SaaS applications. The increased reliance on applications for collaboration, communication, file-sharing, CRM, and beyond, while necessary in hybrid work environments, must be coupled with a clearly defined process for managing data access and sharing. The use of multiple overlapping vendor solutions requires a consistent security strategy that can scale with the growth and use of these applications, which is a tall order when considering each application has its own set of security settings.
The examples of high-profile breaches induced by unmanaged SaaS access control are growing daily — including HubSpot, Okta, and Twitter — and no enterprise wants to add its name to that list. If the stopgap platforms and tools are to remain embedded in workflows, then it's critical for organizations to take a long, hard look at how these applications can be used without perpetuating serious security vulnerabilities among employees, stakeholders, partners, and customers.