Casting Light on the Shadows: The Secret Life of SaaS in Cybersecurity

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Guy Guzner of Savvy casts a light to dispel the shadows and reveal the secret life of SaaS apps in the realm of cybersecurity.

The recent SEC bulletin that specified new cybersecurity requirements and annual disclosures for public companies is causing quite a stir in boardrooms, IT departments, and cybersecurity circles. This ruling is a game-changer in corporate governance, placing a significant burden on companies’ incident response.

It also highlights the pressing need for organizations to address the growing prevalence of Software as a Service (SaaS). The unchecked expansion of SaaS exposes organizations to new vulnerabilities that are both complex and hard to control. We refer to this phenomenon as the ‘secret life of SaaS,’ underlining the challenges of managing these digital ecosystems.

Casting Light on the Shadows: The Secret Life of SaaS in Cybersecurity

Revealing the Challenge

The rise of SaaS platforms like Slack, Microsoft Teams, and Asana has revolutionized how businesses operate by offering specialized solutions for a wide range of functions, from project management to HR and finance. While these tools provide unparalleled convenience, their widespread adoption has led to what we call ‘SaaS sprawl.’

This phenomenon represents the rapid and extensive integration of SaaS within organizations. Unlike traditional applications that require constant maintenance, SaaS tools may seem simpler on the surface. However, their decentralized nature presents new visibility and control challenges, making it difficult to enforce security policies on identity hygiene and sensitive data transmission and storage.

Imagine a puzzle where the pieces, represented by various SaaS tools, operate independently and don’t quite fit together seamlessly. This decentralized approach allows departments to select the best tools for their needs but often comes at the expense of proper security measures. Issues such as mismatched identity standards, data privacy, and the extensive work required to gain oversight become daunting obstacles for security operations teams.

To make matters worse, employees often use unsanctioned SaaS to increase productivity, sometimes intentionally disregarding security protocols. According to a recent Gartner survey, 69 percent of employees have ignored their organization’s cybersecurity guidance in the past 12 months, and 74 percent said they would bypass cybersecurity to achieve a business objective. At the heart of these challenges lies the critical issue of data security because unsanctioned SaaS operates in the shadows without much oversight.

The Renewed Significance of Shadow SaaS

Unfederated SaaS, also known as Shadow SaaS, occurs when employees don’t use Single Sign-On (SSO) and operate without IT or security team oversight. This presents challenges in maintaining visibility and control, thereby risking data security. While shadow SaaS has always been an issue, the rise of generative AI applications has exacerbated the worst-case scenarios.

Consider a situation where a team member utilizes a generative AI tool, such as ChatGPT, to draft or rework a highly confidential document or optimize proprietary code. Currently, there are no laws to determine whether the generative AI platform or the company owns the output of those queries. These gray areas make controlling SaaS environments even more important because there may be retroactive consequences years down the line.

The specter of shadow SaaS also lurks within sanctioned SaaS environments. If employees choose to log in through methods other than SSO, companies can lose visibility, even when the company has accepted the application into its environment.

Empowering Smart Decision-Making

To address the multidimensional challenges posed by SaaS sprawl, organizations are actively seeking innovative solutions. Federated SaaS security appears to be an attractive proposition, offering the promise of a unified security framework across diverse SaaS applications. However, as mentioned earlier, getting all employees to use SSO can be challenging. Implementing federated SaaS can lead to scalability and integration challenges.

Achieving full buy-in for federated SaaS requires companies to take a proactive stance and gain true visibility and control over their environment. They need to invest in technologies that provide real-time guidance and support for employees and encourage them to practice good identity hygiene by signing up and signing in the right way. This approach aims to strike a delicate balance between security imperatives and the need for user productivity.

It seeks to harmonize with human judgment, fostering a symbiotic relationship between users and security protocols. It’s not just about safeguarding data but also cultivating a culture of informed decision-making. By empowering users to make smart choices, these innovations pave the way for tackling the complexity of SaaS security.

Compliance and Navigating the Maze

As the SEC ruling reshapes cybersecurity disclosures and SaaS continues to expand, organizations must embrace innovative solutions that employ user-centric cybersecurity strategies. Comprehensive visibility and control of SaaS ecosystems, coupled with security measures, are imperative to successfully navigate these challenges and adapt to regulatory shifts in the digital age. Furthermore, organizations striving to comply with new cybersecurity disclosure requirements must also grapple with the complexities of their SaaS landscapes, both sanctioned and shadow, to protect their data and maintain compliance in an ever-evolving digital world.