Ad Image

How Employee SaaS Usage Determines SaaS Security Requirements

SaaS Security

SaaS Security

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Ran Senderovitz of Wing Security offers an in-depth overview of how employee SaaS usage determines SaaS Security requirements, essentials, and strategies.

Over 300,000 Software as a Service (SaaS) applications and web extensions have become integral to every company’s operations. Mid-market and small businesses rely even more heavily on these applications for both organizational and individual (employee) efficiency as they have become crucial for competitiveness and growth. The latest U.S. Census reveals that the U.S. is home to over 5 million businesses with fewer than 50 employees and about 250,000 larger businesses with up to 5000 employees. After studying hundreds of businesses from that group, my team and I observed that most of these mid-market companies use an astonishing number of applications, most frequently in the hundreds. However, their security teams are often either unaware of or lack the resources to address the security risks posed by these diverse third-party services integrated into their organizations.

Fortunately, the cyber industry, specifically the SSPM (SaaS Security Posture Management) industry, now provides a range of simple yet effective tools for these security teams. These tools are adaptable to any budget and labor requirement and support essential security practices for achieving comprehensive protection for a company’s SaaS domain, leaving no excuse for businesses not to safeguard themselves in this aspect.

How Employee SaaS Usage Determines SaaS Security Requirements

Types of SaaS Application Usage

SaaS application usage in an organization can be broadly categorized into two types:

  • Organizational Efficiency: These are applications and services chosen by leadership as part of the organization’s infrastructure. Examples include Microsoft and Google Workspaces, video conferencing services like Teams, Zoom, and Webex (which became indispensable post-COVID), HR tools, sales and marketing platforms, collaboration services, and development repositories. These are fundamental to almost every aspect of modern organizational operations, and it is expected for organizations to have tens of these applications.
  • Personal Efficiency: These are the applications employees adopt as they seek to become better at their job (and sometimes mistakenly use company assets for non-work-related functions). These include AI-driven tools that have revolutionized job functions in numerous ways, becoming almost irresistible to employees. Applications for call transcription, code writing, marketing email generation, and sales analytics target professional workforces are just a few examples. Employees often subscribe to these services, either for free or through personal expense, in a bid to enhance their efficiency. This practice, known as Shadow IT, can pose significant risks. Security teams should expect to find hundreds of these applications in their organizations.

Security Challenges of SaaS

The security challenge emerges when employees misuse organizational SaaS; however, an even more significant risk may be exposed when they independently subscribe to external services to improve their productivity for the organization without considering security. While I strongly believe in the importance of modern organizations encouraging their employees to use these applications, using them without a security context may lead to the negligent adoption of malicious or poorly secured applications, risky data sharing, or excessive permissions, potentially placing the organization at significant risk.

To illustrate this point, let’s examine the rapid infiltration of ChatGPT into the workforce. After speaking with numerous security practitioners, I have yet to encounter an organization that believes it is ‘ChatGPT-Free.’ Typically, these applications are introduced or utilized through individual employee initiatives. A common strategy among security practitioners to address this issue involves restricting access through Microsoft and Google Single Sign-On (SSO). However, in reality, employees often find alternative methods to access these services, such as using personal email and passwords or utilizing applications and web extensions. This exacerbates the situation, as the primary concern remains: ensuring that employees use the authentic ChatGPT app.

A comprehensive web search can reveal hundreds of different SaaS services featuring ‘ChatGPT’ in their names. While most are legitimate, some originate from smaller organizations with inadequate security measures, and others are outright malicious and intended to deceive employees. When employees adopt these applications, they risk exposing organizational data to unverified sources. Furthermore, a compromised application with access to an employee’s email can easily send seemingly legitimate messages, initiating phishing attacks.

The challenge for CISOs and security professionals is clear: protecting an organization from unseen threats is a formidable task. Merely blocking access through the workspace is insufficient as a standalone solution. This evolving landscape demands vigilance and innovative strategies to safeguard against these growing cybersecurity risks.

Securing SaaS: Essential and Advanced Strategies

The SaaS Security Posture Management (SSPM) industry is crucial in guiding mid-market companies to safely adopt SaaS applications. Security control can be broken down into six steps, categorized into essential and advanced stages:

  • The Essentials: Discover, Assess, Control
    • Supply Chain Discovery: Treating SaaS applications as subcontractors is vital. Comprehensive discovery includes identifying direct application connections and those used by employees without the organization’s OAuth.
    • Risk Assessment: Each application’s security posture should be evaluated in relation to its necessity, the data shared, and the permissions granted within the organizational environment. While Third Party Risk Management was once costly and focused on organizational apps, new research-backed SSPM tools supported by crowdsourcing now make this process feasible for a wider range of applications. Post-assessment, CISOs can make informed decisions about which applications to off-board.
    • User Access Review: For approved critical applications, periodic access reviews are essential to ensure that only authorized users have access, and that their roles in the system align with their organizational roles. Implementing these steps aligns organizations’ SaaS adaptation with compliance frameworks like SOC2 and ISO27001. Conducting these steps periodically is crucial, and now made more accessible and cost-effective through SSPM tools.
  • The Advanced: 24×7 Risk Reduction, Detection, and Remediation
    • Automated Posture Management: Advanced tools continuously scan applications, their users, and exposed data to minimize unnecessary usage. Many organizations have applications that haven’t been used for over three months; these tools help identify and potentially off-board those applications. They also manage employee access and minimize data sharing.
    • Risk Detection: The SaaS environment is dynamic; 84 percent of organizations monitored by Wing Security report at least three application breaches in the last three months. Effective tools alert CISOs to take recommended actions when breaches occur or when there are indications of risky events, like stolen credentials or large data movements.
    • Remediation and Response: When risks are detected, many tools can automatically respond, relieving CISOs from manual intervention.
    • Advanced tools vary in their approach: some offer in-depth event analysis and customization for security teams requiring detailed analysis, while others focus on top organizational applications and their configuration. Most mid-market companies seek breadth and simplicity and want the tools to work for them.

SaaS Has Become Irresistible, Security Has Become Affordable

Onboarding a SaaS application is akin to hiring a subcontractor: it’s essential to know who you’re working with, conduct proper background checks, assess risk versus need, monitor access to organizational assets, and supervise performance and ethics over time. Modern tools in the SSPM industry simplify meeting essential compliance levels for organizations of all sizes, while advanced tools offer a range of solutions tailored to different needs.

Share This

Related Posts

Follow Solutions Review