It’s been said many times that you can’t stop progress, and that’s true to the point that it may be one of the more applicable maxims around these days. Especially when it comes to technology, as there’s no way any degree of stepping backwards is going to be tolerated if advances mean real benefits. Acronyms are a challenge for many, but even if you have the slightest amount of digital savvy you’ll know that SaaS stands for Software as a Service and its one of many examples where cloud computing technology has made the hassles of hardware installation a thing of the past.
Here at 4GoodHosting we’ve had firsthand benefits from the Cloud and how it’s removed the need for a lot of physical hardware and infrastructure is something any Canadian web hosting provider will be able to relate to. As a collective user base we’re certainly not going to approve of any regression here either, but more and more we’re learning how there are security risks related to cloud infrastructure. That’s not news, and the fact that ease of access increases that risk probably doesn’t come as a surprise either.
But that’s the truth of the situation, and it’s something worth looking into, especially as businesses are flocking to software-as-a-service applications with the aim of improving the efficiency of their operations and overall employee productivity. The question is though – is weak control of access to cloud apps putting those organizations’ data at risk?
1.5x Exposure on Average
There was a recent study that showed that the average 1,000-person company using certain SaaS apps is likely exposing data to anywhere from 1,000 and 15,000 external collaborators. Similar estimates from it suggested between hundreds of companies if not more would also have access to a company’s data, and around 20% of a typical business and their SaaS files might be available for internal sharing with little more than the click of a link.
What can be taken away from that is that unmanageable SaaS data access is a legit problem that can apply to businesses of any size these days.
Last year, slightly more than 40% of data breaches occurred as the result of web application vulnerabilities according to this report. Nearly half of all data breaches can be attributed to SaaS applications, and seeing as how more and more businesses rely on these softwares, it is legitimately a huge threat. Especially when you consider that many companies store anywhere from 500k to a million assets in SaaS applications.
This looks to be even more of a problem in the future. The incorporation of SaaS services is predicted to grow, with revenues expected to jump a full 30% over the next 3+ years to 2025.
This growth has and will continue to be accelerated by the new working realities the COVID pandemic has created for us. This is because SaaS application are easy to set up and don’t require the same outlay of time and resources for an IT department. The way businesses can identify problems and procure solutions on their own and within a timeframe that works for them is a huge plus.
Add to that as well the shift to working remotely for so many people and having the ability to access a SaaS from anywhere and on any device is something that is going to be pushing the appeal of Software as a Service for a long time yet to come. And in the bigger picture that is definitely a good thing.
This goes along with massive increases in the adoption of cloud services, choices made for all the same reasons and a similar part of the new digital workplace reality for a lot of people. Many organizations that had this shift in mind had their timetable accelerated because of the pandemic and the new need for the ability to have team members working remotely.
Software Visibility Gap
In the early 2000s there was a trend where free and small-scale SaaS offerings were still something of an unknown but at the most basic level they were very agreeable because they met needs very well and offered more speed and agility compared to conventional and standard options. They often really improved business results, and that’s why they took off from there.
But since then the meteoric growth in adoption has introduced problems, and in many ways they were ones that industry experts foresaw – even back then. Unmanaged assets will always pose some degree of risk, and by making it so that ease of access is expected from the user base they’ve also created the possibility of greater data insecurity.
This is what creates a software visibility gap, with the cloud obfuscating the inner workings of the applications and the data stored in it and blurring the insight into potential attacks to the point that security measures can’t be validated for effectiveness in application the same way.
Problems with Data Everywhere
Cloud and SaaS platforms as they exist for the most part today make it so that the corporate network is no longer the only way to access data, and access gained through 3rd-party apps, IoT devices in the home, and portals created for external users like customers, partners, contractors and MSPs make security a much more complicated and challenging process.
It’s perfectly natural that companies are eager to use these access points to increase the functionality of their cloud and SaaS systems but going in full bore without understanding how secure and monitor them in the same way may lead to major access vulnerabilities that are beyond the capacity of the organization to identify and prepare against.
It’s entirely true that unmanaged SaaS usage means that sensitive corporate data may make its out of the house and do so long before those in charge of security become aware of the extent of the problem and what they might do to minimize the damage done.
When we consider further that SaaS applications often integrate with other SaaS applications the risk is magnified even further.
Responses in Progress
Organizations are making an effort to reduce the risk posed to their data by SaaS apps without stifling speed, creativity and business success, but it’s not an easy fix at this point by any means. Security and IT teams cant’ depend exclusively on in-house expertise to have the security measures they need in place in a timely manner. Or at all. With increasing complexity of cloud and SaaS environments companies will need to use automated tools to ensure that their security settings are in line with business intent, along with continuous monitoring of security controls to prevent configuration drift.