Software as a Service (SaaS) presents both organizational opportunities and challenges. While SaaS technology offers efficiencies for employees, for security teams, SaaS introduces security risks akin to herding cats: difficult to control with many logistical challenges, AKA “SaaS sprawl.”
While SaaS sprawl isn't a new concern, the rising threats certainly are. This article explores the state of SaaS security and the hurdles that SaaS sprawl poses, and presents tips for managing your SaaS identity risks more effectively. Let’s dive in.
SaaS Portfolios are Growing, but 53% of Licenses Aren’t Used.
The SaaS market thrives on customer demand—organizations pursuing heightened productivity, cost reductions, and enhanced operational efficiency, to name a few common use cases. According to Statista, SaaS adoption is growing at a staggering rate, with the global market projected to reach $232 billion in 2024. The average company's SaaS portfolio has swelled to 371 apps, a whopping 31% spike in just two years. But while the number of apps skyrockets, user adoption often falls by the wayside. Shockingly, over half of those app licenses sit idle, practically begging cyber intruders to sneak in through forgotten or abandoned accounts.
41% of Your Employees are Using Apps You’re Not Aware of
According to Gartner, by 2027, 75% of employees will acquire, modify, or create technology outside of IT’s visibility— up from 41% in 2022. Unauthorized SaaS applications, known as "Shadow IT," pose significant security risks, as the apps themselves were initiated outside of IT’s purview and may not have appropriate security controls in place, not to mention that most app trial accounts require only a username and password. 80% of data breaches stem from weak or reused passwords. When employees start their own SaaS subscriptions, the responsibility for creating (and updating) strong passwords falls on the employee, leaving security teams to hope for the best regarding their choices.
Zombie Accounts Keep 54% of Security Professionals Up at Night.
Employee churn is inevitable. Involuntary separation. Layoffs. Employees moving on— churn is a fact of professional life in every organization, although how much varies significantly by company and industry sector. The US national average for employee turnover is 17%; however, with the economic downturn and recent onslaught of layoffs, we saw hundreds or even thousands of employees abruptly departing in a single day. The potential for zombie accounts grows exponentially in these scenarios. When SaaS subscriptions are initiated outside IT’s knowledge, the accounts linger on from gaps in identifying their existence, and subsequently, not shutting them down after the employee has left. In a study by Salt Security, 54% of respondents indicated zombie accounts are a high concern— cited as one of their top API security concerns.
31% of Employees Have Access to Old Employer Software Accounts
Research on gaps in offboarding SaaS access shows that 31% of employees still have access to a former employer’s software accounts—an open invitation for malicious activity from a disgruntled employee or a bad actor taking advantage of orphaned accounts. So why not close the gaps?
Ponemon research cites that only 36% of organizations have visibility into the level of access and permissions that both internal and external users have, and 59% do not revoke credentials when appropriate. If you’re struggling with your SaaS security, identifying and revoking user access, you’re not alone— it’s problematic for many organizations.
84% of Organizations Have Experienced an Identity-Related Breach
The Identity Defined Security Alliance 2022 Trends Report showed that 84% of organizations experienced an identity-related breach in the last year. But here’s the kicker: 96% of those organizations said the breach could have been prevented or minimized had they implemented an identity risk management solution.
Employees are choosing the tools they want and need to perform their jobs, which means more apps, more shadow IT, and more identities exist today than ever before. Unless SaaS identity risk management practices also evolve, more SaaS identity breaches will occur. Visibility into SaaS usage is not a nice-to-have; it's table stakes, given our current SaaS environment.
Reversing SaaS Identity Risks
You don't have to be the one contributing to the stats and numbers mentioned in this article; you can take proactive steps to tackle SaaS sprawl and reclaim control over your organization's SaaS risks. Since accounts can originate and be accessed virtually anywhere, managing identities becomes your primary leverage point. Identities are assets, not individuals. By implementing policies for each identity, you empower yourself with controls and safeguards every time that identity is used. Developing an identity security framework is a good first step.
Identities are assets, not individuals.
Developing an Identity Security Framework
Developing an effective identity security framework requires a comprehensive understanding of your organization's unique needs, challenges, and objectives. To begin:
- Define your goals. What types of threats is your organization likely to face? What data and systems do you need to protect? Outline your identity security objectives—they should be specific, measurable, achievable, and aligned with your organization's security strategy and compliance requirements.
- Assess your current identity security program. Review your current identity management practices, including technologies, policies, and procedures. Do you have user authentication, access controls, and privilege management in place as needed? Identify potential vulnerabilities, gaps, and areas for improvement within your existing infrastructure.
- Outline your program governance. Define the rules and guidelines for users, and develop policies and procedures for how your organization will manage user identities and access. Specific areas to address: user onboarding and offboarding, password management, access controls, and incident response, to name a few.
- Implement identity security technologies. These technologies will help you achieve your identity security goals. Typical solutions include MFA authentication, single sign-on (SSO), and identity and access management (IAM) tools. Additionally, an identity risk management platform like Grip enables you to uncover shadow SaaS and zombie accounts, monitor user activity, manage risky OAuth grants, contain SaaS sprawl, and proactively identify potential SaaS security threats.
- Protect identities from harmful SaaS interactions. It’s essential to safeguard identities from harmful interactions with web apps and SaaS services by implementing centralized control along with decentralized enforcement. This involves identifying all relationships between identities and SaaS platforms, and analyzing the functionalities these relationships control within the digital enterprise.
Security teams must assess the risk associated with the extent of control a SaaS service holds, whether it’s a specific functionality or a control shared across multiple SaaS solutions (like file sharing or OAuth grants). Understanding the capabilities of each SaaS platform allows security teams to prioritize their efforts based on the potential impact or 'blast radius' of an attack if a SaaS service or its connected identity is compromised.
The final step in protecting users from identity exploits involves standardizing enforcement across the board. AI-powered enforcement allows for the dynamic application of security policies to SaaS services. Whenever an identity accesses a SaaS service, even during initial signup, security teams can immediately apply a protective plan according to the inherent risk of the identity, the context of the app, and aligned with the predefined policy for identity-SaaS relationships.
Jumpstarting Your Success
Malicious actors look for orphaned and abandoned accounts. Because they fly under IT’s radar, zombie accounts are easier to exploit. Given the hefty price tag if the bad actors are successful, gaining visibility into your shadow IT and rogue accounts should rank high on the to-do list for all organizations. And Grip is dedicated to jumpstarting your SaaS security success.
Uncover your organization’s hidden SaaS risk and identity security gaps with a free SaaS identity risk management assessment. Let our team show you which authentication methods employees use to access SaaS tools, who is using shadow SaaS apps, where idle SaaS licenses exist, and pinpoint former employees who still have access to your software and systems. Book your free assessment now.