Software as a Service (SaaS) research has found that large companies had an average of 5.5 million assets stored in SaaS applications. DoControls' SaaS report quantifies the volume, types and exposure risk of business assets stored within the SaaS estates of medium and large companies. 

SaaS applications expose companies of all sizes to significant security risks stemming from undetected data exfiltration. With large companies averaging 2,775,000 SaaS activities per week involving nearly 55,750 SaaS assets, manually monitoring every event and asset is functionally impossible. The notable shortage of security professionals and the burnout caused by competing priorities demonstrates why security automation is the only feasible approach in this landscape. The vulnerabilities covered in the report are broken out into five different categories:

Insider threats: Whether accidentally or deliberately, insiders can exfiltrate confidential intellectual property and customer information, exposing companies to financial extortion and devastating brand damage. The report found that 81% of medium-sized companies and 78% of large companies have encryption files stored in Google Drive/Workspace. An organization may feel secure storing assets in various apps, but they need to be vigilant of assets leaving those domains. As 61% of companies have employees who have shared company-owned assets with their personal email, manually tracking sensitive assets may be more difficult than previously imagined.

External actors & access: Control of a company’s data or intellectual property can become tenuous when collaboration extends beyond the company’s security perimeter and files are shared with external parties via SaaS applications. Medium-sized companies involved in the study had on average nearly 224,000 assets in SaaS applications that have been shared externally, with nine external actors per employee on average. 

Compounding this issue is that over-provisioning access to SaaS files can result in those assets being distributed to external collaborators beyond those which they were originally intended. The report found large companies had an average of 94,455 publicly-shared assets stored in SaaS applications. Companies need to limit external sharing by implementing least privilege permissioning and by removing access when assets are no longer needed by the parties with whom they were shared. 

Third-party to fourth-party sharing: One of the ramifications of not adequately limiting the data access granted to external parties is third-party to fourth-party sharing. Over the course of the first nine months of 2022, the report identified over 1,189 events within large companies where third-party actors shared assets with fourth-party actors. In many instances, trusted third-parties have legitimate reasons for sharing SaaS assets with fourth parties. These situations, however, should be managed by the originator of the SaaS assets. At large companies, 241 fourth-party domains on average have access to its SaaS assets. Without adequate SaaS data access controls, the originators often lose sight of assets shared externally, introducing an unacceptable level of risk.

Outdated permissions: There are two manifestations of outdated permissions. The first is ongoing access to SaaS assets that are no longer supporting current business objectives. The report found 67% of all companies have employees with lingering access to assets stored in Google Workplace that are more than 5 years old. 

The second form of outdated permission listed in the report is access that persists after employees have parted ways with their employer. Out of all companies, 31% have former employees who have accessed assets stored in SaaS applications after they have parted ways with their employer. Large companies tend to have more former employees with access (20 on average) than medium companies (slightly more than six on average), but even one former employee — especially a disgruntled one — can present an unacceptable risk. 

Third-party applications: Applications often allow integrations with third parties to make workflows more efficient, convenient or productive. However, third-party applications can also pose a threat to companies, especially when given unnecessary read-write permissions. Granting unnecessary read/write access to applications that may not have strong enough native security controls can open the door to data exfiltration and supply chain-based attacks. The major collaboration application companies often support numerous third-party application integrations. 

At large companies, Google has an average of 81 third-party application integrations. On average, 27 of those Google integrations have data access and nine are overprivileged.

Download the full 2023 SaaS Security Threat Landscape Report.