Remote and hybrid work has accelerated the shift in how work is done today. Regardless of the trends in remote, hybrid and in-person work environments, work today is done in and across Software as a Service (SaaS) apps.

The first challenge enterprise cybersecurity leaders face today is getting an accurate inventory of all of the SaaS tools currently in use by their workforce. With the constantly changing SaaS landscape, this can pose a never-ending challenge.

The next challenge is securing SaaS tools using a mix of configuration management and security tools such as single sign-on (SSO). This is a necessary step to manage the risk of SaaS apps, but does not control for all the actions users are able to take in the applications.

Despite the best efforts by cybersecurity teams, every day employees have the ability to take certain actions in SaaS apps that have security and privacy implications. Not all of these actions result in data breaches or even security incidents, but the actions do expose companies, thus mandating an approach to measure and mitigate that risk.

Below are some examples of risk-relevant SaaS actions:

• Exporting user lists: In many SaaS solutions users are able to export or download lists of users containing personal identifiable information (PII). Support and marketing tools often have this same functionality.
• Sharing files: Not reserved for shared drives like Google, Dropbox and Box, users in SaaS apps like Slack can share sensitive files and even make them public.
• Inviting external users: Internal users can invite external users to most SaaS apps.
• SaaS integration: Certain SaaS apps are approved for certain data regulations, such as the GDPR or HIPAA, but this covered data can easily be shared to SaaS apps that do not have proper protections or data protection contracts in place.

Measuring SaaS app risk

The first step in managing the risk of SaaS app usage is measuring the risk from the use of those apps. About 10% of SaaS apps represent about 90% of the risk, so targeting this 10% is the first step. The most common apps in this 10% are customer relationship management (CRM) solutions, support platforms, productivity suites and communication tools.

Security professionals can measure SaaS risk by treating SaaS like any other type of infrastructure, with SaaS app events logged and ideally piped into a centralized security management platform. This step provides visibility and a way to continually measure risk. These SaaS app events can then trigger certain actions that will help in managing the risk of Software as a Service.

Managing SaaS app risk

If the risk of SaaS stems from necessary user actions, such as employees sharing important documents via a SaaS solution, how can this risk be managed? As SaaS has pushed more autonomy to end users, they have also pushed more responsibility for security. A security mindset in an organization is key, but this is not an easy task, especially as SaaS apps enable workflows from any location and device.

Security awareness training needs a new approach to build this required mindset. The risk from SaaS apps is not mitigated by training staff on strong passwords or ransomware. SaaS workflows are specific to the SaaS apps, so the training needs to be continuously updated and tailored the specific software in use.

Many companies are at the beginning stages in measuring and managing the risk from employee actions in SaaS apps. After all, the SaaS trend has only recently exploded. The first step in managing this risk is an inventory and risk ranking of SaaS applications. With that, a new security awareness program can be created to mitigate the risk.