A recent review by Wing Security, a SaaS security company that analyzed data from more than 500 companies, revealed some troubling information. According to this review, 84% of companies had employees using an average of 3.5 SaaS applications that were breached in the previous 3 months. While this is concerning, it is not a huge surprise. The exponential growth of SaaS usage means that security and IT teams struggle to keep up with which SaaS applications are being used and how. This does not mean that SaaS should be avoided or blocked; on the contrary, SaaS applications should be used to ensure business growth. But using them should be done with some level of caution.
Determine which SaaS applications are risky
The most intuitive risk factor for determining if an app is risky is to search for it and see if it has been breached. SaaS applications are clearly a target as we see more and more SaaS-related attacks. A breach is a clear indication to stay away, at least until the SaaS vendor fixes and fully recovers (which may take a while…). But there are other criteria to consider when determining whether a SaaS application is safe to use. Here are two more to consider:
- compliments – The security and privacy compliance that the app vendor has, or not, is a good indicator of its security. Achieving a SOC, HIPAA, ISO (the list goes on…) requires lengthy and painstaking processes where the company must meet strict regulations and conditions. Knowing a company’s compliance is essential to understanding its level of security.
- Market presence – Checking whether an application is present in known and accounted markets is also a useful step in determining its integrity, which may be linked to its security measures. In respected marketplaces, apps must go through a verification process, not to mention receiving user reviews, which are arguably one of the most important indicators of an app’s legitimacy.
While understanding which apps are potentially risky is important, it is not an easy task. And it’s not the first step either. According to Wing Security, the companies they reviewed had a high three-digit number of SaaS applications in use. Therefore, the first and most basic question security teams should ask is:
How many SaaS applications are employees using?
Clearly, it is impossible to determine whether SaaS is being used securely without first discovering how many SaaS applications are being used and which ones. This is basic, but not simple. All employees use SaaS, and while enforcing SSO and using IAM systems is important and useful, the decentralized, accessible, and often self-service nature of SaaS applications means that employees can start using almost any SaaS that they need simply searching. to do it online and connect it to your company’s workspace, easily bypassing IAM. This is especially true when you consider the many SaaS applications that provide a free tool or a free version of it.
That in mind, SaaS Application Discovery is also provided as a free self-service tool so answering the question mentioned above should be easy enough. Once there is a clear map of SaaS usage, the next step is to determine the SaaS applications at risk. Once apps are classified as risky, it’s important to revoke the credentials they received from the users who connected them to your organization. This can be a long and cumbersome process without a proper tool in place (Wing offers the removal of risky apps as another capability in its free version, but with some limitations that are lifted in its premium offering).
Ensuring SaaS use is secure requires asking and answering two more questions:
1. What permissions were granted to SaaS applications?
It probably goes without saying that not all apps are risky all the time. It’s also worth adding that even if a SaaS application is breached, the risk it poses depends largely on the permissions it was granted. Almost all SaaS applications require some degree of permission to access company data to provide the service they were designed to provide. Permissions range from read-only to write permissions that allow the SaaS application to act on behalf of the user, such as sending emails on behalf of the user. Properly managing your SaaS security posture means monitoring the permissions granted by users to an application and ensuring that only necessary permissions are granted to them.
2. What is the data that flows within and between these applications?
At the end of the day, it’s all about protecting critical business data, whether it’s business information, PII, or code. Data comes in many formats and flows in many different ways. The unique way in which SaaS is used across all business units and teams and anyone in the organization carries the risk of sharing data with SaaS applications that are not designed to share data securely. It also carries the risk of data being shared between SaaS applications. Today, many SaaS applications are connected, and adding one can give access to a subset of many others. It is a giant mesh of interconnectivity and data exchange.
Start with the basics: Know your SaaS layer
SaaS security can be overwhelming. It is a new and solid frontier that is constantly evolving. It’s also just one more risk in a long list of risks that security teams have to deal with. The key to solving SaaS security is knowing which applications are being used. This basic first step illuminates the SaaS shadow IT challenge and enables security teams to properly assess the urgency and magnitude of their SaaS security risks. Knowing with certainty the amount and nature of SaaS in use should not be complex or expensive. There are many tools that can solve this, and you can try Wing. free security solution to get an idea of what you’re up against.
According to a recent study by cloud security provider Ikaroa, 84% of businesses around the world are using software-as-a-service (SaaS) applications which have been breached, most commonly for abuse of administrator privileges. The survey polled over 500 business executives and IT professionals, and found that the majority of organizations lack an understanding of the security implications of using breached SaaS applications.
According to the study, a startling number of companies are using breached SaaS applications without realizing it. Over two-thirds (69%) of organizations surveyed were unaware of their SaaS application’s security status, while only 11% had taken steps to identify which of their applications had been breached.
“We were surprised to see how many companies had been using breached apps without any kind of awareness or vetting process,” said Andrew Almos, chief security officer at Ikaroa. “The vast majority of organizations don’t have an understanding of the security implications of using these applications.”
The surveyed companies are particularly vulnerable to the risk posed by SaaS applications containing unpatched vulnerabilities. Of the respondents, only 8% reported having tested their SaaS applications for security flaws and to ensure their data was safe. Furthermore, only 4% had implemented a consistent process to detect breaches and weak points in their SaaS applications.
Ikaroa’s survey also revealed that a significant number of organizations have become overly reliant on SaaS providers to handle their security concerns. Over 73% of respondents believed that their SaaS provider was primarily responsible for their organization’s security.
“This is a major misconception that our survey revealed,” said Almos. “Organizations need to be taking the responsibility for their own security and evaluate SaaS applications if they want to ensure that their data is secure.”
The findings of this survey clearly demonstrate the need for businesses to create secure processes around the use of SaaS applications. Ikaroa is dedicated to helping businesses identify vulnerable applications and strengthen their overall security posture. With Ikaroa’s cloud security solution, businesses can take control of their security and maximize the protection of their data and infrastructure.