The rapid adoption of Software-as-a-Service (SaaS) has transformed business operations, delivering scalability, ease-of-deployment, and solutions tailored to specific needs. However, a side effect of these benefits has led to a phenomenon called "SaaS sprawl."
This refers to the rampant proliferation of multiple cloud-based applications within an organization. SaaS sprawl has created a number of significant security challenges, including over-sharing of data, data leakage, lack of standardization and centralized oversight, and increased complexities in managing user access and permissions.
SaaS sprawl becomes exacerbated because it’s mostly business-led and security teams are unaware of all apps in use. This makes tracking, managing, containing, and securing the multitude of cloud-based applications more difficult. A cohesive strategy has become essential to enable secure application usage and address the associated security concerns effectively.
Given these trends, we need a new user-centric approach to secure a constantly growing environment and help users make better, safer, decisions when working with apps.
How SaaS sprawl impacts cybersecurity
The number of SaaS apps in use continues to skyrocket. Over the past few years, organizations have become increasingly dependent on software applications such as Microsoft 365, Google Workspace, and Salesforce to meet, collaborate and share information. And since 2015, the SaaS industry grew from $31.4 billion to an estimated $167.1 billion in 2022. That equates to over 5x growth in only seven years. The growth of the SaaS industry has been remarkable, and continues to accelerate due to advancements in AI, including generative AI applications such as ChatGPT.
SasS sprawl has been driven by ease of adoption and deployment. SaaS applications offer quick implementation and do not require significant upfront investments or complex infrastructure setups. This convenience has led to departments and individual employees bypassing IT departments to procure and use SaaS applications directly.
While SaaS fosters agility and innovation, it also means that applications are used without the knowledge or approval of IT security teams. This introduces significant security risks, as these applications may lack proper security controls and compliance measures.
Addressing SaaS approval backlog
It isn’t just unsanctioned SaaS creating problems. Surging business-led SaaS adoption has introduced an overwhelming demand for app approvals, leaving IT security professionals struggling to keep pace.
The result has been a significant backlog of apps awaiting approval, which creates friction between the business users and the security team. The scarcity of resources, particularly skilled security professionals, exacerbates the problem. This backlog causes delays, frustrations and hinders productivity.
To bridge the gap and address this challenge, organizations must streamline the approval process without compromising security. A user-centric approach focusing on empowering individuals to make safe and informed decisions while using SaaS apps has become crucial.
Organizations spend a great deal of budget and energy trying to block users who mostly seek to circumvent security in favor of productivity whenever they are given a chance. According to Gartner, more than 90% of employees who admitted to engaging in unsecure work actions knew it would increase risk to the organization.
Instead, they should implement solutions that offer users real-time contextual guidance when an unsecure action is about to take place, helping them recognize the potential security risks associated with their actions and choose secure alternatives. This approach reduces the burden on the IT security team by empowering users to make the right decisions on their own.
Traditional security products don’t empower users
While network security products such as secure web gateways, firewalls, cloud access security brokers, and data loss prevention tools can effectively prevent certain actions, they have limited visibility and control over in-app activities like application signup or configuration changes. They also don’t educate users regarding the reasons behind blocked actions. Restricting actions solely at the network level hinders productivity and proves less efficient.
In addition to the challenges posed by SaaS security, traditional security awareness training and policies have limitations in offering immediate guidance and support to those about to make an unsecure action.
Emerging products now offer contextual feedback to users in real time when they are about to make a poor security decision, guiding them to a safer alternative that aligns with an organization's security protocols. Through their implementation, organizations can preempt vulnerabilities created by an ever-growing SaaS environment.
But why do we need these new products? Humans have long since been a thorn in the side of great security technology and strategy. The most recent Verizon Data Breach Investigations Report reveals the human element remains an important driver of 82% of incidents, including social attacks, errors and misuse.
To truly control SaaS sprawl at scale, organizations must empower individuals to safely use the SaaS apps they need. Doing so requires an approach that engages users during critical decision-making moments, intervenes when they attempt risky actions, and shows them a better path that doesn’t sacrifice productivity to uphold security. In addition, these new products need to offer the much needed visibility to security teams to let them monitor activities, and respond quickly and effectively to any security incidents.
The growth in SaaS adoption presents a stark reminder for organizations that we need a new approach to deal with this new reality. Only a user-centric approach that delivers full visibility and then preempts unsecure actions before they happen can keep up with the business demands without exposing it to unwanted risk.
Guy Guzner, co-founder and CEO, Savvy
