A new DoControl report, Quantifying the Immense Risk of Unmanaged SaaS Data Access, highlights how the vast amounts of unmanaged data in today’s enterprises have led to a growing number of insider and external threats to global organizations. With 40% of all SaaS assets unmanaged, there is a greater degree of internal, external and public access to sensitive data.

Sounil Yu, Chief Information Security Officer at JupiterOne, explains, “Unmanaged SaaS usage means that sensitive corporate data may proliferate to locations that were never intended to house that type of data. In addition, SaaS applications often integrate with other SaaS applications. If those integrations are also not managed, then organizations risk granting overly permissive and continuous access to their corporate data through multiple SaaS channels.”

To address this challenge, Yu says, “organizations first need visibility into what SaaS applications are being used. Initial visibility can be obtained by allowing SSO authentication through their preferred Identity Provider. Furthermore, organizations should explicitly review the permission scope of SaaS applications and approve them before they are allowed to authenticate through their Identity Provider. Lastly, organizations will need to be watchful for those SaaS applications that are accessed outside of using SSO. These steps are not trivial, and there is an opportunity for innovation here to make this easier for security teams.”

According to Gartner, global SaaS revenue will grow by nearly 38% to more than $140 billion between 2019 and 2022. Although cloud-based applications dramatically increase efficiency and productivity throughout an enterprise, there is a significant threat that CIOs and CISOs often underestimate: the SaaS provider’s unchecked and unmanaged data access. And with the growing adoption of SaaS applications, this threat is growing exponentially, putting companies at greater risk for data leaks.

As a benchmark, the average 1,000-person company stores between 500K to 10 million assets in SaaS applications. Companies enabling public sharing may unwittingly allow up to 200,000 of these assets to be shared publicly. DoControl aggregated and analyzed data and categorized its key findings by external and insider threat:

  • Insider threats:
    • Of the companies analyzed, an average of 400 encryption keys are shared internally with anyone with a link.
    • 20% of SaaS assets are shared internally with a link, exposing many employees to data points they are not authorized to view.
    • 8% of employees share their corporate account assets with their account, exposing company data to employees on an ongoing basis.
  • External threats:
    • Between 1,000 and 15,000 external collaborators (vendors, contractors, customers, partners, prospects, media and analysts) have access to company data.
    • Between 200 and 3,000 external (specifically third-party) companies have access to company assets.
    • 18% of SaaS application assets are shared externally and remain shared externally even after deleting users.

Brendan O’Connor, CEO and Co-Founder at AppOmni, believes a new approach is needed to keep up with quickly changing cloud and SaaS environments. “Security and IT teams can no longer rely exclusively on in-house expertise and expect to keep up. Since the complexity of cloud and SaaS environments – and the associated security configurations - will only continue to increase, companies will need to use automated tools to ensure that their security settings match their business intent and continuously monitor security controls to prevent configuration drift. This is simply no longer a task that teams will be able to keep up with using only manual processes.”

And, though it is not feasible or cost-effective to expect a security practitioner or security team to be experts on the nuances across dozens of SaaS platforms or to stay up to date on the multitude of security-relevant changes after every release across their ecosystem, O’Connor says, “SaaS security professionals should be generally familiar with SaaS security best practices and be able to utilize automated tools that monitor for relevant updates or issues within their SaaS environment. These security automation platforms should be able to normalize SaaS and other cloud security concerns to more standard security concepts, allowing increasing numbers of security practitioners to operate effectively in securing these systems.”