A new report from software-as-a-service company DoControl Inc. has found that 40% of all SaaS data access is unmanaged, creating significant insider and external threats.
Described as a wakeup call to chief information officers and chief information security officers and the enterprises they protect, the report details the significant threat of unchecked and named data access by the SaaS provider and how it is often underestimated. The findings came from a study of an average 1,000-person company with data stores of between 500,000 and 10 million assets in SaaS applications. Companies enabling public sharing may face up to 200,000 of these assets being shared publicly.
Cyber experts from around the world weighed-in on the data from this report.
Tim Bach, Vice President of Engineering at AppOmni:
"SaaS has become the go-to technology solution in the enterprise over the past decade and is now increasingly important in day-to-day business operations. Applications such as Salesforce, ServiceNow, Workday, Microsoft365, GSuite, Box and Slack support the vital activities of every line of business within the organization. Their ubiquity and convenience make these applications almost invisible to those who rely on them and they are used almost without thought. This transparency creates a paradox, however. By almost any objective criteria—sensitivity of data, importance to business operations, need for data integrity, etc.—these applications and the data they contain are part of the critical IT infrastructure stack. But they receive little attention from administrators responsible for managing and securing critical enterprise IT. SaaS is not typically given the same level of due diligence as IaaS, bare metal, and other elements of the IT infrastructure stack. This leaves organizations vulnerable to leaks and breaches that can compromise the integrity of sensitive information, disrupt operations and damage reputation and market value. We, as security practitioners, need to treat SaaS as critical infrastructure and invest accordingly to secure it."
Howard Ting, CEO at Cyberhaven:
"This should be an immediate wake-up call for the industry. As enterprises move their data to the cloud, the potential exposure of that data mushrooms by orders of magnitude as insiders, partners, and other pieces of the supply chain get access to that data. It is essential that enterprises start holding their SaaS vendors accountable and have auditable ways to know exactly who has access to their data and how it is protected."
Sounil Yu, Chief Information Security Officer at JupiterOne:
"Unmanaged SaaS usage means that sensitive corporate data may proliferate to locations that were never envisioned to house that type of data. In addition, SaaS applications often integrate with other SaaS applications. If those integrations are also not managed, then organizations risk granting overly permissive and continuous access to their corporation data through multiple SaaS channels.
To address this challenge, organizations first need visibility into what SaaS applications are being used. Initial visibility can be obtained by allowing SSO authentication through their preferred Identity Provider. Furthermore, organizations should explicitly review the permission scope of SaaS applications and approve them before they are allowed to authenticate through their Identity Provider.
Finally, organizations will need to be attentive to those SaaS applications that are accessed outside of using SSO. These steps are not trivial and there is opportunity for innovation here to make this easier for security teams."
Mohit Tiwari, Co-Founder and CEO at Symmetry Systems:
"The SaaS multi-cloud environment has a reputation of being hard to secure. There are production data stores (SQL, NoSQL, caches, queues, ...), analytics data lakes, etc… that contain sensitive data and talk to the internet. And each data store exposes a different set of knobs -- encryption, access control, etc... -- that are hard to set up and keep synchronized. Organizations will need to fundamentally rethink how to monitor where their sensitive data is, how it is protected, and how it is being used."