Software as a Service (SaaS) is a double-edged sword.
SaaS apps can boost workforce productivity, but they can also be a thorn in the side for those of us on the security frontline, especially when you factor in Shadow IT and zombie accounts. SaaS tools are great until you try to keep tabs on them all—it's like trying to count snowflakes in a blizzard.
As SaaS inventories expand, so too does the risk to identity security. Today, the average enterprise manages a portfolio of 371 SaaS applications, yet over half of those user licenses aren't being used. Forgotten and abandoned accounts, AKA “zombie accounts,” leave backdoors for hackers and increase your cyber risks.
The Danger of Zombie Accounts
Between employee turnover rates and corporate reorganizations, accounts that should be dead and buried are still alive and active. Zombie accounts have access to your data and systems, can be easily missed in security checks, and, if not properly deactivated, can become entrances for threat actors.
Most organizations find it challenging or nearly impossible to gain visibility into the access and permissions of internal and external users. As evidence, 31% of former employees retain access to a previous employer’s software accounts, leaving the organization vulnerable to disgruntled employee behavior or malicious intent from outsiders.
31% of employees still have access to a former employer's accounts.
Since zombie accounts are overlooked, they can be silently exploited over extended periods without raising any alarms. Thus, keeping track of all user accounts and ensuring they are deactivated when someone leaves your team is essential.
However, perpetuating the zombie account challenge is an even bigger problem—shadow IT.
The Rising Risk of Shadow IT
Years ago, tech requests were funneled through the IT department for review and implementation. Today, 41% of an organization’s workforce is signing up for apps outside of IT’s knowledge. Unsanctioned apps can lead to various security problems, including a higher susceptibility to breaches.
Weak passwords are often the culprits in a data breach, and shadow IT compounds this problem. When IT is unaware of technology or employee app usage, passwords and authentication methods can’t be monitored. Instead, security teams can only hope employees login from sanctioned devices, choose strong passwords, and protect their accounts appropriately.
Minimizing SaaS Security Risks
Identity Defined Security Alliance 2022 Trends Report cites that almost every organization (84%, to be exact) has experienced an identity-related breach in the past year. However, most of those companies say a solid identity risk management strategy could have prevented or minimized the incident.
The realities of SaaS security risk are a wake-up call for all organizations. A SaaS identity risk management (SIRM) program isn't a "nice-to-have" anymore—it's as essential as all the other cybersecurity measures you implement. We must treat identities like valuable assets and assign the appropriate policies for each.
Creating a Strong Identity Security Plan
Building a strong identity security plan requires a thorough understanding of what’s at stake and what you need to safeguard:
Start with a clear target. Consider the security risks your company might encounter. Which data and systems are critical to protect? Your identity security plan should have well-defined targets aligned with your overarching security blueprint and regulatory compliance standards.
Examine your existing program. Review your current identity management tactics, including the tech and rules you’ve implemented. Do you have user authentication, access controls, and privilege management in place? Look for weak spots or areas where you can strengthen your defenses.
Define how you’ll run the program and the rules for managing identities and access in your organization. Address how you will add new users to the system, handle passwords, set up access permissions, and respond to security incidents.
Implement identity and access management (IAM) technology. Typical solutions include multi-factor authentication (MFA), unified login systems, access control based on user roles, and permission settings based on user traits. SaaS identity risk management (SIRM) tools can help spot unauthorized SaaS accounts, monitor user activities, manage OAuth permissions, rein in SaaS sprawl, and proactively identify security threats.
Educate your staff and enforce the guidelines. Teach your employees the new procedures for handling SaaS apps, acknowledge their adherence to the rules, and discreetly deal with missteps. Continuously monitor your identity security framework, evaluating and enhancing it to meet the shifting landscape of threats.
Conclusion
SaaS tools support increased business and operational productivity, but also introduce new security risks. Unused and unmonitored software can act as gateways for bad actors to exploit networks and breach systems.
It’s time to place more emphasis on securing our SaaS environments, shutting down zombie accounts, and uncovering shadow IT risks. Only then can we ensure our digital ecosystems aren’t compromising our organization's cybersecurity and all that we seek to protect.
Lior Yaari is the co-founder and CEO of Grip Security, a pioneer in SaaS identity risk management. Book a time with our team to learn more about how Grip can uncover your shadow IT and zombie accounts and strengthen your overall SaaS security.
This article was originally published on Forbes.com