In recent years, businesses have begun to adopt a cloud-first approach with increasing frequency when it comes to IT technologies. The major driving forces behind this change are the ease of use, availability, scalability, and cost-effectiveness of this approach. The vast amount of cloud services out there are required to introduce different categories to allow users to better understand the nature of the service. Some of the most renowned categories include SaaS (Software as a Service), IaaS (Infrastructure as a Service), PaaS (Platform as a Service), FaaS (Functions as a Service), and DaaS (Data as a Service). While all of the aforementioned models are popular, SaaS most likely comes to mind when one thinks about cloud software. This is the category that the majority of companies and employees work with directly.
As one might imagine when considering its popularity, there are many benefits to using SaaS apps. For the most part, SaaS is incredibly easy to set up; generally, only a simple registration and a credit card are necessary to begin using the software. Depending on the type of software, SaaS might require some type of integration with other systems. However, there is usually nothing to install on-premise.
SaaS presents three major problems for organizations:
1. You don’t know what you don’t know.
As mentioned earlier, it’s very quick and easy to begin using cloud-based software. Any employee with a corporate email address can register and start to explore the possibilities of the service. Despite being very simple, this presents a problem for the organization. It’s very possible that an employee could “go rogue” and sign up for the service without the organization’s knowledge or consent. As these SaaS apps are not under centralized IT management, the accounts created there are unknown and unmanaged, too.
This raises quite a few questions:
– What happens if the employee leaves the company? They might still have access to software and services that might store or process sensitive information.
– What data is stored on the platform, how it is processed or shared? If the use of the software is unknown from an organization’s point of view, there is almost zero chance for the company to properly manage the relevant data usage policies.
– What policies and agreements does the SaaS vendor provide?
According to different reports, an employee has access to tens of such cloud applications, while companies use hundreds of cloud apps on average. In the case of an enterprise, this can range to thousands of cloud apps, all presenting issues in regards to company data management and privacy. This means that even smaller organizations can face these large-scale problems, accumulating thousands of online business web accounts, and large enterprises can have tens of thousands such accounts.
2. Management nightmare.
Even if a company hasn’t fully realized the large challenges and risks presented by SaaS accounts, it might instead face SaaS-related management issues on a day-to-day basis. Sooner or later, users will present questions or requests related to a given service. Managing such requests can be problematic if the service or software in question is barely known by the IT department. Common user inquiries involve potential login issues, integration help, and usability questions, just to name a few.
There might also be other requirements to create an inventory of the service, even if they are free and don’t directly cost the organization a penny. For instance, if an audit requires you to list the online web applications along with their nature, policies, and agreements, manually gathering this information is an extremely time-consuming and sometimes impossible task.
3. Passwords, passwords, passwords.
The use of SaaS accounts presents many direct IT security risks as well, the largest and scariest problem being passwords. Let’s be honest—users don’t like passwords, especially complex passwords. As a result, they tend to use weak passwords or reuse corporate credentials when they create or update their accounts. For the latter, the rationale from their point of view might be that they consider this access to be corporate in nature, so they use the same password as the one they used for their corporate email, VPN, etc. Even if they do their best to use unique and complex passwords, billions of accounts are breached every year.
The SaaS market is extremely competitive, and most SaaS vendors’ development processes are feature-driven, while security is only secondary at best. Of course, there are many vendors who put more effort into the security of their infrastructure and product. Even if that’s the case, vulnerabilities—even zero-day ones—exist, which hackers can take advantage of to gather login information and other sensitive data. Breaches and password reuse are the main culprits for account takeover (ATO) attacks, as leaked credentials can be used to gain unauthorized access to corporate resources.
Our Solution
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.
Ask us more about Scirge solution!