A person wearing gloves demonstrates a laptops function at a store on Nov. 27, 2020, in Louisville, Ky. A study found that nearly half of cloud privileges are misconfigured. (Jon Cherry/Getty Images)

Varonis on Thursday released a report indicating that companies have to focus a bit more on securing their SaaS applications.

The study found that 44% of cloud privileges are misconfigured, 3 out of 4 cloud identities for external contractors remain active after they leave, and 15% of employees transfer business-critical data to their personal cloud accounts.

“If you’re not watching closely, users can silently copy, delete or expose your mission-critical data to just about anyone,” said Rob Sobers, vice president of marketing at Varonis. “And that data can be anything from your Salesforce customer list, source code in GitHub, and documents in Box and Google Drive.”

The misconfiguration and access problems companies are seeing now aren’t new -- they're just now waking up to them, said Brendan O’Connor, co-founder and CEO of AppOmni. O’Connor said that the landscape for SaaS applications has grown far more heterogeneous than the consolidated on-premesis technologies organizations may have used in the past.

“Unlike being able to focus on just a couple of key technologies, like Windows and Mac, or Android and iPhone, most enterprises use dozens or even hundreds of different SaaS applications,” O’Connor said. “This means that security teams won’t be able to specialize in these technologies in the same way.”

The report both underscores the difficulty of managing privilege and identity from a top-down view built on static perspectives of granted privilege, as well as the challenges faced by security teams that rely too heavily on preventative hardening in the face of the dramatic increase in cloud adoption, said Tim Wade, technical director of the CTO Team at Vectra.

“Visibility is the lever that strategic decision makers need to pull to start reclaiming confidence in the face of risk – not just visibility into how privilege gets granted, but the observed privilege of dynamic use, to spot account dormancy,  deviations from least privilege, practices that place sensitive data, assets, and services at risk,” Wade said. “The takeaway isn’t that the enterprise needs more centrally managed enforcement; the takeaway is that IT and security programs need visibility to match the speed and scale at which the business is evolving.