Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Why security leaders are concerned about the SaaS sprawl, and how to get a grip on it

By Lior Yaari
SaaS-security-freepik
August 5, 2021

Software as a service (SaaS) has taken over, and the average enterprise now uses hundreds of unique SaaS applications to accelerate their digital transformation and business velocity. Though it was already on the rise, the global pandemic and widespread Work From Home (WFH) policies dramatically accelerated enterprise dependence on SaaS across every market sector—even traditional laggards like health and finance. 

However, while SaaS has fulfilled its growth-enabling potential, most organizations have lost their grip on its consumption and use. SaaS is internet accessible, and IT and security teams can no longer depend on network or endpoint controls to govern application access. In other words, traditional security teams are left blind to actual activity. The only way forward is to keep updated on all SaaS-related technological developments as they happen. However, is that realistic for already swamped IT and security managers?

 

The rise of the SaaS Sprawl?

Unlike traditional, on-prem third-party software, SaaS applications users can bypass IT review, approval and installation. Steeping security leaders in darkness, this is the origin of the SaaS sprawl. The sprawl is dangerous; Despite often holding sensitive information, many of the applications within it lack the bare minimum of security features of sanctioned SaaS-SSO, security configurations, and vendor approvals. 

IT and security managers who fail to appreciate the inherent risk of this shadow world can no longer maintain an accurate sense of their security posture. The numbers are telling. According to Okta, a SSO provider, only 88 apps use SSO in the average enterprise. Imagine what that means when average industry use often surpasses hundreds of applications per enterprise. 

We must be better prepared, and the very first step in building a viable SaaS threat model is to establish and analyze organizational SaaS inventory. The more granular, the better. At the very least, they should communicate which apps are operating in an organization’s environment and which individuals are using them. To fill in this knowledge gap quickly and without doing so at the expense of other critical operations, we must introduce more automation to SaaS security. 

 

Shadow Applications and their Risks

Shadow SaaS apps are not dangerous because they are unknown. In fact, users tend to work with viable solutions that, in most cases, would have received approval. Rather, real SaaS risk lies in the combination of SaaS app internet accessibility and its separation from IT workflows.

Unlike SSO-connected or self-hosted apps, access to the information stored on SaaS apps is solely controlled by users—the weakest link in our security chain. Access to shadow apps cannot be revoked by IT and security teams due to a lack of awareness over app use or the technical means to revoke access. This creates dangling access to critical information as users change their roles or leave the organization. 

Mindful security leaders must consider how they can leverage SaaS security innovation to unify offboarding for all discovered SaaS, as well as accelerate internal risk assessments and SSO integrations. Remember, users are susceptible to password phishing attacks, which can be significantly reduced by SSO and MFA integrations. However, achieving a security baseline with these integrations is hardly trivial. When discovering new application use within the organization, IT teams are required to detect the administrator of the application itself. Traditional discovery tools, such as network proxies or financial record analyzers fail to accomplish this and increase the friction required to secure the app. In many cases, the app itself does not support SSO or requires additional payment for an enterprise license, known as the SSO Tax. 

 

Getting a Grip on SaaS Access

For too long, access monitoring has relied on network or endpoint-centric solutions despite malicious access to SaaS, both internal and external, rarely ever originating from the office itself. Without visibility into asset access patterns, enterprises have been left with a legacy of missed sensitive connections and meaningful insight into their security postures. Moreover, though traditional data loss prevention DLP requires a closed perimeter in which data moves freely—limiting exfiltration of data from the perimeter—SaaS usage requires breaching this perimeter by design. Understanding that SaaS users always upload data to an internet-based third-party vendor, security leaders understand that the definition of DLP for SaaS must change. Today, the definition must focus on data movement in the SaaS app itself, as well as user devices.

The predominance of WFH and BYOD requires that these measures include a risk-based approach to secure user access based on location, device and identity. Moreover, vendor approval processes are an integral part of a good security posture. Nevertheless, once an app is approved, additional security measures must follow to ensure continued safe use. High-risk applications access, for example, should be limited to corporate devices with active EDR solutions. Access from personal devices, even after approval, must still be logged and monitored. 

SaaS access managers must enforce coherent access policies for every SaaS connected to their organization’s environment and continuously track and limit data movement. Even beginning with read-only SaaS access - viewing without downloading files or expiration dates for downloaded information is a massive step in the right direction.

According to a survey by PTC, 59% of experts polled see security as the critical barrier to selecting SaaS solutions. This decision-making should not be so complex, and, clearly, IT and security leaders have a lot to do to survive the future’s SaaS-dominated landscape. Luckily, the market has taken notice, and IT and security leaders hardly have to go it alone anymore. With automation and a growing selection of new SaaS-centric governance technologies, these leaders can finally adapt to persistent WFH and BYOD trends by governing access to get the grip they need on SaaS security.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

KEYWORDS: application security cyber security risk management saas software security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Lior yaari

Lior Yaari is CEO of Grip Security.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • half open laptop with pink and blue lights

    72% of security leaders are concerned about the adverse effects of AI

    See More
  • healthcare 3 responsive default

    Health agencies are gathering data to combat COVID-19: Here’s why that might be a problem and what to do about it

    See More
  • cyber security freepik

    The fight against cyber threats requires a public-private partnership. Here’s how to get it done.

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing