Reducing SaaS risk is, without a doubt, a difficult challenge.
Gaining visibility into all the SaaS apps used across an enterprise is hard enough, but it becomes an even greater challenge when only a portion of the apps go through the company’s established policies for acquiring new tech. As a result, organizations lack comprehensive insight into their SaaS landscape, and it’s no wonder many IT and SecOps executives feel SaaS risk management is an unsolvable problem.
As the SaaS landscape changes and business-led IT becomes the norm, the strategies for managing SaaS risk must also adapt. A modern SaaS risk management program identifies known and unknown SaaS usage enterprise-wide and helps secure unsanctioned SaaS and reduce vulnerabilities.
But a PSA here. The organizations gaining control over their SaaS risks aren’t using traditional risk assessment models—and neither should you. SaaS usage is unique to your organization, and the conventional methods of evaluating SaaS risk don’t provide the flexibility nor capture the risk nuances specific to your company. Let’s explore what other organizations are doing differently to reduce their SaaS risks more effectively.
Conventional SaaS security reviews face two primary challenges: how SaaS apps are acquired and used.
Ten to fifteen years ago, the technology market transformed its business model, moving away from hefty initial expenses and an ownership-centric model towards a subscription-based approach offering lower initial costs and options for trial subscriptions. As a result, it’s easy for any employee to start a free trial or initiate a new SaaS subscription without involving IT. According to Gartner, 41% of employees acquire, modify, or create SaaS apps outside of IT’s visibility, and that number is expected to climb to 75% by 2027.
Since SaaS technology is much more accessible, employees also use a wide array of apps specific to their jobs. Over the past few years, the number of SaaS apps used in a company has grown 18-38%, and it’s not uncommon to have multiple apps covering the same function. For example, a marketing team might have a subscription to Trello, Asana, and Monday for project management.
With the expansion of SaaS acquisition, managing SaaS has become a shared responsibility. A LeanIX report reveals four or more departments are involved in SaaS management within a company. Not surprisingly, this trend adds to the stress of IT and SecOps teams: 67% of IT professionals surveyed worry about security and compliance, and 60% expressed concern over redundant apps and under-utilized licenses.
How SaaS is acquired is one piece of the puzzle, but an equally important piece is how that app is used within an organization.
SaaS usage varies significantly between companies due to size, industry, regulatory environment, and specific operational needs. Take a customer relationship management (CRM) platform as an example.
Company A is a large financial services firm with strict regulatory requirements for protecting client data. It uses the CRM to store sensitive financial records, transaction histories, and personal client information. Due to the nature of its data, Company A enforces strong access controls and encryption and is subject to regular compliance audits. A data breach of Company A could be catastrophic, exposing the financial and PII data of its clients, causing loss of consumer trust, and resulting in regulatory penalties for the firm.
Company B, on the other hand, is a small marketing agency. It uses the same CRM to track leads, manage campaigns, and record client interaction histories. The data is less sensitive, focusing more on client preferences and project details. Company B might be more relaxed about access controls and more focused on integrating with other tools to streamline workflows. The risks for Company B are more about service interruptions affecting client communications and potential loss of non-sensitive data, which could disrupt their operations but might not have the severe financial or legal implications that Company A faces.
In these examples, even though both companies use the same SaaS application, the nature and sensitivity of the data stored, the integration with other systems, the number of users, and the compliance requirements create different risk profiles that need a tailored risk management approach.
Yet, the traditional method of managing SaaS risk is to evaluate the SaaS vendor in the context of how the app will integrate with your systems and its access to sensitive data. Risk assessments don’t factor in who will use the app, how they will access it, and at what frequency they will use it. App usage is not uniform and can differ dramatically from one company to another, which creates open vulnerabilities when overlooked or in a business-led IT environment where complete SaaS visibility doesn’t exist.
At Grip Security, we’ve talked with hundreds of organizations that struggle with the same challenge: a lack of SaaS visibility and a SaaS risk management program that isn’t keeping pace with the organization’s SaaS usage, largely due to the business-led IT movement. The common denominator is that the old practices for managing SaaS risk are falling short.
Back in the day, when tech requests went through IT first, it was much simpler to manage what apps were in use and how they integrated with the company’s systems. Today, with our heavy dependence on digital tools, companies need a better way to tackle the vulnerabilities that arise from the easy access and widespread use of SaaS. While SaaS acquisition has spread across different business areas, keeping SaaS risk management centralized is crucial. The programmatic solution is to adopt an identity-centric approach.
Going beyond monitoring network data and identifying more than sanctioned applications, SaaS identity risk management (SIRM) uses identity as the control point to overcome modern-day problems like SaaS sprawl and identity sprawl. Think about it: whenever someone starts a trial or accesses an app, they use an email address. Using email and identity as your control points makes sense. As such, SaaS identity risk management hones in on the risk indicators that mirror a company’s actual SaaS usage, providing a more granular and tailored view of where security might be weak, including:
Dive deeper with this ungated Solution Brief: Modern SaaS Security Risk Management.
Today’s SaaS risk management programs must prioritize securing the workforce in a way that supports their productivity, not restricts it. With identity being a constant in every SaaS account, adopting an identity-centric risk management approach allows for a complete and clear view of the actual activity occurring within a company’s SaaS environment, regardless of how the app was acquired.
Ready to modernize your SaaS risk management program? Book time with our team to discuss your needs and how Grip can help.