With the annual RSA Conference in full swing – which brings together more than 40,000 security professionals from around the world to the Moscone Center in San Francisco – it’s a great time to take a look at how your SaaS management (or lack of) impacts your org’s security posture.
Security risks are a given in our fast-paced, online world. We see them in the news every day, and cross our fingers that we (as individuals) won’t fall victim to the next massive data breach. As business owners, we *try* to take every precaution possible to prevent a security event that could lead to negative press, loss of customers, and plummeting revenues.
But organizations may be ignoring a major factor in business operations that puts them at risk, simply because it’s external to the business. And what is that factor? The usage of tens (if not hundreds or even thousands) of external SaaS platforms.
It used to be that on-premises software controlled a large portion of a company’s overall security risk. That’s not the case anymore as companies look to benefit from the scalability and efficiencies of the cloud. Companies that want to control security risks and manage costs must thoroughly vet every SaaS vendor they interact with – or face the consequences.
Why is this the case? Well, there are a handful of things that happen to businesses that likely will never stop. Businesses can’t control these events, but they can control how they respond and manage them.
Below are our top 3 reasons to proactively manage SaaS:
Employees and contractors are going to leave the business.
Even if you have a high retention rate, it’s incredibly unlikely that every employee you hire and every contractor you engage will stay with your business forever. And when they do leave, it can take a heavy toll on your business – and we’re not just talking about institutional knowledge.
Sometimes, that employee retains access to a SaaS platform that includes all your sales prospecting data – which can be shared with a competitor. Or sometimes that contractor is able to log into your development schedule and share your confidential upcoming product releases, or even the yet-to-be-disclosed financials of a public company. Sometimes these compromises happen maliciously. But more often than not, and perhaps more concerning, these compromises can happen even without malicious intent.
All of a sudden, your proprietary data is compromised because of something as simple as employee off-boarding. That lack of oversight won’t sit well with employees, customers, or shareholders.
Attackers will attack – and they’ll keep thinking up new ways to do it.
Attackers are incredibly sophisticated and creative in their attempts to access confidential or sensitive information. It’s always a bit of a cat-and-mouse game, where nearly each step forward results in a few steps back. Security experts come up with a new tactic to stop an existing attack method, and then attackers come back with a new back- or side-door entry that was unexpected.
Consider how many SaaS platforms your business uses currently – maybe 100, for this example. Then think about how many employees you have, and how many users there are for each SaaS application. The number of user accounts per platform is approximately the number of opportunities for attackers to penetrate your business. And that’s just the beginning.
Then, think about all that data you have out on various SaaS platforms – confidential data that is proprietary to your business or sensitive customer or partner information. What happens if that SaaS platform experiences a breach? And are you *really* putting each SaaS vendor through a serious vetting process, or just ticking the boxes if all their answers are what you want to hear?
There’s an exponential number of security holes caused solely by interacting with any external platform – SaaS or otherwise.
Companies will have some level of unsanctioned IT – always.
Procurement and IT departments can (and do) put forth their best efforts to acquire and manage SaaS with oversight, in a way that controls costs, allows them visibility, and is easy for employees. But there always will be outliers who try out or acquire new SaaS tools without the express consent of the business.
Your best employees are probably the ones who approach problems with an open mind, and are willing to try out a wide variety of solutions to streamline business operations, save money, and enhance the customer experience. In their experimentation process to solve big problems, sometimes they are trying out new SaaS tools – and not telling you about it.
It might seem harmless to them at the time – maybe they are just using what they think is a test set of data for a demo. Maybe they only use a brief trial of the SaaS platform, and they never end up purchasing a license. But what happens when that SaaS platform experiences a breach and your IT team thinks they are in the clear because there are no approved licenses? They soon find out they have unsanctioned usage and are exposed to a breach.
Proactive SaaS management allows businesses to ward off potential security risks.
Don’t get us wrong: of course, there’s no magic bullet to protect your organization against every security attack.
But effective SaaS management is certainly a reasonable place to start. Particularly with the vast number of security threats that can be prevented by implementing a few best practices in managing SaaS.
When employees and contractors leave, make sure they aren’t taking anything that doesn’t belong to them. Hold any business you interact with accountable to the most recent government-mandated security standards (i.e., GDPR is fast approaching). And lastly, remember that although you can’t control everything, you can create an open environment where employees feel safe fessing up to unsanctioned SaaS usage – and even empowered to try new SaaS apps that might benefit the business.
Want to know how Flexera SaaS Manager supports a framework of proactive SaaS management? Contact us for a demo to learn more.