Building a Business Case for SaaS Security

As SaaS adoption continues to explode, it’s become more important than ever to get deep visibility into the SaaS apps within your organization, uncover the interconnectivity of those apps and understand their security coverage and configuration. 

Today’s SaaS applications feature countless configuration settings that can introduce security gaps and risk. Nevertheless, making the case for deploying a dedicated SaaS management solution is still a challenge for security professionals.

To tackle the issue, let’s first understand the key SaaS security challenges companies face these days.

Data Sprawl

What happens when an organization has a lot of applications in its SaaS stack? SaaS sprawl. This, in turn, introduces data sprawl.

SaaS data sprawl is the result of the decentralized distribution of information in different applications, making it difficult for IT to answer questions like:

• Where does all the data reside, and how is sensitive or personally identifiable information (PII) being processed?
• Who has access to the data, and how secure is it?  

Another driver of SaaS sprawl? Open APIs. As they have become a market standard, customers expect all their SaaS solutions to work jointly with one another to drive operational efficiencies.

Shadow SaaS

Another problem introduced by SaaS sprawl is shadow SaaS — where employees use SaaS applications without the IT or security teams’ knowledge. 

While employees have bypassed IT departments for ages, SaaS usage has introduced another shadow IT opportunity. Why? Because SaaS offerings present unique solutions to address specific user requirements that may not be addressed by the organization’s IT solutions.

Without SaaS apps getting the proper security and IT review upfront, numerous risks are introduced:

1. Data loss: Shadow SaaS can drive unknown attack surface expansion as shadow SaaS apps are bypassing IT’s typical vetting procedures. Often, the SaaS providers themselves don’t have adequate expertise or measures in place to protect customer data.
2. Compliance risk: Shadow SaaS also makes your organization vulnerable to non-compliance risks. Regulations like HIPAA and GDPR specify how companies can use, store, or transfer consumer data. SaaS providers that fail to comply with these regulations could cost businesses millions of dollars in fines. 

Managing SaaS Security Risk

What’s escalating the SaaS security management challenge is the fact that SaaS apps have become more customizable. This creates two additional problem areas:

1. Managing SaaS settings: Given that enterprises use hundreds or even thousands of SaaS applications, most security teams likely have thousands of settings to manage – across all SaaS applications — in order to reduce security risk. Misconfigurations can make apps publicly accessible, and attackers can leverage weak configuration settings to access sensitive data.
2. Identity and access management: Identity and access controls make up a large percentage of settings that security teams need to manage. But many SaaS users have admin rights or excessive privileges, posing data security risks – including insider threat. 

Why Existing Approaches Fail

While processes for managing SaaS may differ from company to company, technologies have emerged to help teams tackle these challenges in isolation.

SaaS Security Posture Management (SSPM) platforms provide automated, continuous monitoring of SaaS applications to help security and IT teams minimize risky configurations, manage policies, and ensure SaaS compliance. While the SSPM market is gaining traction, SSPMs often don’t offer visibility into end-user devices accessing SaaS applications – meaning security teams only get a fragmented view of the whole picture.

Without an SSPM solution in place, security analysts spend up to 70 hours per month reviewing configurations across all SaaS apps (and up to 60 more evaluating SaaS security compliance).

Source: Axonius Value Calculator

Another market gaining traction over the last few years is SaaS Management Platforms (SMP). These solutions allow IT teams to manage the day-to-day SaaS operations, improve the employee onboarding and offboarding experience, track application usage, and gain some visibility into SaaS licensing.  

But while some SMPs have basic security functionality built in, they often lack robust information on SaaS settings, misconfigurations, data flows, and user access levels – all of which are critical in reducing security risk.

Making a Business Case for SaaS Security

SaaS offers tremendous value to organizations, but businesses need an easier path to rein in SaaS complexity.

The way forward? Adopting a comprehensive approach to SaaS management that solves IT, security, and risk teams’ challenges by giving them a single source of truth into the SaaS application landscape. 

This modern approach to SaaS management should incorporate three main aspects to ensure its business value for the stakeholders:

• Breadth: The ability to discover both known and unknown SaaS applications, providing complete and actionable visibility into all data types and interconnectivity flows. 
• Depth: Uncover and mitigate various security risks that put sensitive customer and business data at risk — including identifying misconfigured SaaS settings and suspicious or malicious behavior.
• Context: Provide correlation and valuable data insights between SaaS apps, cloud services, devices, and users in the organization’s environment.

Per our analysis, upon adopting a modern comprehensive approach to SaaS security, misconfigurations are flagged automatically — saving roughly 60 analyst hours per month, which equates to over $50,000 in cost savings in terms of annual analyst salary. This allows businesses to reallocate those employees’ time to other high-priority initiatives.