Identity and Access Management (IAM) for Shadow SaaS

Shadow SaaS apps are more widespread than many think, and they are largely unmanaged, meaning that IT/security teams have no idea who is using them. This is a huge risk for companies, and as a result, SaaS security has become one of the most pressing issues for CISOs. What companies desire ideally is to be able to manage and secure shadow SaaS with the same identity and access management (IAM) framework as their sanctioned SaaS. 

The challenge is that shadow SaaS usage is dynamic, and most IAM products were never designed to secure apps that are fleeting or not used by a large number of employees. In this article, discover how IAM for shadow SaaS — shadow IT — is fundamental for promoting better security at your business. 

What Is SaaS Authentication? 

Authentication is the protective barrier that users must go through before accessing an application or system. The following are some ways SaaS users authenticate themselves to access SaaS applications.: 

‍

• Single sign-on (SSO): With SSO, users can access multiple sanctioned applications using one set of credentials. The user logs in to the SSO application, and this provides them access to the other applications. Authentication may include an email or username and a password. 
• Identity Provider (IdP): IdP provides users the ability to authenticate themselves with an existing service rather than access an application. Users can use a common username and password rather than creating multiple logins to access different apps. 
• Password Manager: Password managers allow users to create and store passwords in a secure vault. This allows users to create passwords that are more secure and not have to remember every single password. 

• Local App Credentials: Users have the option to create a username (usually their email) and a password to access apps. These credentials are completely determined by the user, and they do not require any other authentication methods.

What Is Identity Access Management (IAM)? 

IAM is an enterprise security program that is designed to control user access to resources they need to perform their jobs. In today’s world, SaaS access is one of the most critical resources that IAM controls. In addition to ensuring authorized entry, IAM helps the organization meet compliance obligations. 

With SaaS authentication, IAM verifies that users' credentials align with added requirements for accessing applications. For example, an employee may be authorized to enter applications at certain times of the day or week but blocked from viewing them at others. In this way, IAM may add to the elements included in the authentication. 

Shadow SaaS Authentication and Security Risks

IAM works very well for company sanctioned applications, but there are significant limitations for shadow SaaS apps. No company officially provides every SaaS app an employee will need, so most employees go out and procure their own apps. In today’s world, most employees expect they can use the SaaS applications that suit their needs and preferences rather than being limited to the offical apps. 

If your company offers this model, the odds are that staff members are obtaining SaaS, possibly with their work emails. This creates a huge risk for companies because IT is not able to monitor usage of shadow SaaS apps, and it also creates a problem for compliance. For example, if an employee were to leave a company, IT would struggle to find every shadow SaaS app and make sure that the accounts are not accessed after the employee leaves or that there is no sensitive data or compliance issues that need to be reviewed. 

For chief information security officers (CISOs), information security managers, and related personnel, the existing IAM strategy for managing SaaS is largely ineffective for shadow SaaS. For instance, many organizations have found that SSO does not protect 80% of the SaaS employees use. 

IdP and enterprise password managers are voluntary, so there is no way to measure how much SaaS credentials are not entered into these systems. Some estimate that password manager adoption in companies is on average less than 20%.

Other risks with shadow SaaS authentication include: 

• Data breaches and loss of data
• Potential for compliance violations 
• Inefficiency as each new application or software must be tested by IT personnel 
• The possible added financial burden for license upgrades for SAML integration
• Lack of IT bandwidth to discover, prioritize, and secure SaaS apps

Since shadow SaaS shows no signs of going away, it's critical for IT professionals to reevaluate their management and learn how to detect and control shadow SaaS.

Ways to Detect and Control Shadow SaaS:

• Determine the most significant risks of shadow SaaS and formulate effective solutions 
• Develop a flexible yet well-defined SaaS policy that is enforceable
• Invest in shadow SaaS discovery and access control products 
• Carefully monitor networks, the cloud, and employee activity 
• Promote employee transparency regarding shadow SaaS use

Shadow SaaS Identity Management 

IT teams juggle several components of IAM between SSO, IdP, and password managers. Shadow SaaS compounds this task by requiring CISOs, information security directors, and security architects to actively discover, evaluate, and secure SaaS apps then take action to secure them. Other IAM issues related to shadow SaaS include 

• Accounting for a myriad of administration methods on different applications 
• Assessing if the amount of SaaS usage correlates with the subscription price 
• Overseeing access across numerous devices and internet browsers
• Understanding which employees have access to which SaaS applications
• Updating application integrations

Identifying Shadow SaaS with Grip 

Given the unique security and governance challenges of shadow SaaS authentication and IAM, businesses may struggle to devise the best approach for maintaining security. Grip invented a fundamentally unique platform to respond to these obstacles — the SaaS Security Control Plane (SSCP). 

Our solutions enables businesses to discover, prioritize, secure, and orchestrate SaaS security for sanctioned and unsanctioned applications and protect access from managed and unmanaged devices both off and on-premises.

Our SaaS Security Control Plane delivers a solid business-led IT strategy that utilizes fewer resources and people while saving money on SSO. Download the datasheet today to learn more about shadow SaaS security and how we can help.