DoControl on Tuesday released research that found some 40% of all software-as-a-service assets are unmanaged, which heightens internal, external, and public access to sensitive data.
The vendor pointed out that while the average 1,000-person company stores between 500,000 to 10 million assets in SaaS applications, companies enabling public sharing may unwittingly share up to 200,000 of these assets publicly.
“Unmanageable data access poses a significant risk to any organization and increases the likelihood of a data breach,” said Adam Gavish, co-founder and CEO of DoControl. “While SaaS apps are designed to promote collaboration, this also creates an ever-growing attack surface that requires attention to ongoing data access at scale.”
By almost any objective criteria — sensitivity of data, importance to business operations, need for data integrity — SaaS applications such as Salesforce and ServiceNow and the data they contain are part of the critical IT infrastructure stack, said Tim Bach, vice president of engineering at AppOmni. However, they receive little attention from administrators responsible for managing and securing critical enterprise IT, he said.
“SaaS is not typically given the same level of due diligence as IaaS, bare metal, and other elements of the IT infrastructure stack,” Bach said. “This leaves organizations vulnerable to leaks and breaches that can compromise the integrity of sensitive information, disrupt operations and damage reputation and market value. We, as security practitioners, need to treat SaaS as critical infrastructure and invest accordingly to secure it.”
Unmanaged SaaS usage means that sensitive corporate data may proliferate to locations that were never envisioned to house that type of data, said Sounil Yu, chief information security officer at JupiterOne. In addition, Yu said SaaS applications often integrate with other SaaS applications, and if those integrations are also not managed, then organizations risk granting overly permissive and continuous access to their corporate data through multiple SaaS channels.
“To address this challenge, organizations first need visibility into what SaaS applications are being used,” Yu said. “Initial visibility can be obtained by allowing SSO authentication through their preferred identity provider. Furthermore, organizations should explicitly review the permission scope of SaaS applications and approve them before they are allowed to authenticate.”
Tim Eades, CEO at vArmour, said while cloud-based applications offer flexibility and increase efficiency and productivity, they also can increase an enterprise's attack surface, creating significant risk if businesses don’t understand the relationships between those applications, their dependencies, or who can access them.
“Proper visualization management of these applications, identities, and data can be the difference-maker when it comes to not only understanding, but mitigating the threat of these unmanaged assets,” explained Eades.