Flexera logo
Image: How to Identify and Tackle SaaS Security Issues
This post originally appeared on the Snow Software blog. Snow Software has been acquired by Flexera.

The growth in demand for SaaS applications has exploded in the last few years and is forecast to continue rapidly. It’s also coincided with a mass movement of technology purchasing from central IT organizations to business units. In fact, according to the Snow Software 2022 IT Priorities Report, 86% of IT leaders report that business units are under significant stress because they’re unaware of all purchased cloud and SaaS. Though this level of self-sufficiency alleviates some of the burden on IT, it also creates an entirely new set of risks. IT must eventually face these challenges, especially when it comes to SaaS security. A recent survey of IT leaders uncovered the #1 SaaS management priority is managing the security of SaaS applications. Whether they arise from misconfiguration, regulatory non-compliance or other issues, SaaS security threats are as plentiful as they are severe.

Application risk assessment 

To have a secure supply chain, your procurement process requires a risk assessment for new applications. During the risk assessment, your security team will be looking to understand how customer data is isolated, how data is encrypted, identify protections and user access reviews, data transit design, how the vendor protects confidential information and so on. 

This aspect of the procurement process is critical to keep your employees’ and customers’ data secure and protect your organization against security threats. So how is that protection impacted if the procurement team does not know about all the applications used in the environment?  

To perform proper risk assessments, your team needs to be aware of all the applications used across your organization, regardless of how the software was procured. There are also multiple departments who sign up for free trials and free services (like ChatGPT) that could cause security issues.  

SaaS misconfiguration

Most organizations have hundreds, if not thousands, of SaaS apps, many of which are unknown to IT. Each SaaS tool comes with many settings to control everything from data protection to encryption to admin privileges and beyond. With these numbers, it’s easy to see how the math — and your security — can get out of control very quickly.  

Just one misconfiguration is enough to present an attack vector. The Cloud Security Alliance conducted a recent survey in which 43% of surveyed organizations have had one or more security incidents due to SaaS misconfiguration. Take, for example, this story of a global permissions misconfiguration. This incident exposed NASA and hundreds of Fortune 100 companies to data leaks.  

Managing this challenge is difficult enough when a central IT organization handles it all. Think of the risk for business users who aren’t trained to routinely check configurations. Without visibility into what SaaS applications are in use, it’s impossible to properly configure all the software in the organization to protect sensitive data and IP.

Weak passwords

SaaS apps purchased outside of IT often bypass your SSO platform, leading to weak passwords that present another attack vector for hackers. According to research from Digital Shadows, over 24 billion username and password combinations are in circulation in cybercriminal marketplaces. That’s a 65% increase from the previous report in 2020.  

Vulnerable personal machines and software can pave the way for a security breach, which makes utilizing your SSO platform essential. Remember, though, that not all SaaS apps will integrate with the SSO platform you’ve chosen. Discovering what’s in use throughout the organization sooner rather than later can help you identify risky applications before they take hold and before switching to an alternative would be particularly disruptive.  

Access control

Remote work, workforce mobility and the number of applications in use can make offboarding a challenge for any IT department. Add into the mix hundreds of SaaS apps outside the reach of IT and managing access can quickly become untenable.   

When evaluating the security of your offboarding procedures, check if you have solid processes for removing a departing employee’s access to all applications and their corresponding data. Don’t forget to establish data removal processes for SaaS applications that the business unit or the employee directly purchased, too. 

As demonstrated by this story from August 2021, a single disgruntled former employee with access to applications and data can harm a business. In general, business units are simply ill-equipped to manage a comprehensive offboarding process properly. The combination of these factors can leave your business vulnerable to a costly breach.

Regulatory non-compliance

Governments around the world have various laws and regulations designed to protect the data of your employees and your customers. These laws vary by country (or even state) and by data type.

Law/Regulation Country/State Law/Regulation Data Type
GDPR European Union HIPAA Health data
PIPEDA Canada FERPA Educational data
CCPA  California COPPA Children’s privacy
APPI Japan

When it comes to SaaS applications, complying with data privacy regulations is a shared responsibility, and failure to comply can result in hefty fines. These fines can climb to tens of millions of dollars in some cases. Therefore, it’s critical to know what SaaS applications are in use and to have the following questions answered from each vendor:

  • Who has access to the data? 
  • What policies and procedures does the provider have in place for data handling?  
  • How does the provider ensure they comply with all laws and regulations around data protection?  
  • What happens to your data when your contract with the provider expires?  

Armed with this information, you can begin to put in place the necessary processes and procedures to ensure compliance.  

Visibility is the key

With so many potential pitfalls associated with SaaS applications, just hoping that there won’t be a security incident simply isn’t an option. That doesn’t mean that IT must prohibit business units from procuring the tools they need to be successful. It simply means IT needs visibility into which tools business units choose, who is using them and what data the tools will access.  

There are many different methods for discovering SaaS within an organization. You can comb through accounts payable, leverage SSO and pull data via vendor APIs, just to name a few. Without focusing on the user, however, there will always be blind spots. 

Get started

If you want to properly evaluate your organization’s SaaS security and what measures you should take to mitigate risk, contact us to get started.