Why Lacking Cloud Application Security Could Cost You

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Uri Haramati of Torii says it’s time to get your head out of the clouds and start taking cloud application security more seriously.

Do you have $4.35 million to spare?

How much is security worth? According to recent research, a data breach can cost a company an average of $4.35 million. That’s exactly why so many organizations invest in security solutions. So many, in fact, that it’s estimated that the cybersecurity market is to reach a value of  $376.32 billion by 2029. However, despite the clear importance of security, many organizations still ignore one critical security blind spot: managing SaaS applications properly.

It’s not your fault— it’s due to the decentralized nature of SaaS. Cloud applications have made it easy for anyone to try, buy, and integrate applications at will. Unfortunately, more often than not, they do so without making IT aware and creating what’s commonly called “Shadow IT” or unsanctioned application usage. This innovative adoption of productivity-empowering apps has changed how we work— but they’ve also derailed the offboarding process. These apps are holding your sensitive company information, and they’re out of IT’s purview upon employee departure.

Fortunately, there’s a way forward, and it starts with gaining visibility. But before we look ahead, let’s examine what brought us to this point.

How’d We End Up Here?

We’ve had unprecedented digital transformation wash over industries of every type. As SaaS applications became the norm instead of the niche, we saw a spike in their adoption.

Enter February 2020, and priorities changed due to the pandemic. We saw corporate culture scatter to remote work. The digital workplace rose from the ashes of open-concept offices, and suddenly SaaS applications became essential to operate. IT staff worked tirelessly to ensure their employees could get their jobs done anywhere in the world. That led to further SaaS deployment—both the sanctioned and unsanctioned varieties. Why? SaaS application adoption is decentralized in its nature. Adoption is straightforward, sometimes as easy as making a free account.

That has created a dual-edged sword. It’s easier than ever for employees to leverage technology. That ingenuity, backed by cloud tools and services, revolutionized how the modern employee works. But it’s also led to a sharp rise in Shadow IT.

Shadow IT’s Effect on Security

Put simply, Shadow IT is the purchase and/or use of technology without IT’s knowledge or approval— and it’s happening at your organization.

That means sensitive information exists in applications your IT team can’t see or access. Even worse, some of these applications hidden in the shadows are integrated with business-critical applications. Danger lurks in every new adoption. Unfortunately, you can’t secure what you can’t see. Shadow IT, left unchecked, undermines your company’s security. And while your initial instinct might be to try to stomp it out, that’s just not feasible. As long as applications are easy to access, employees will leverage them to improve the way they work. They won’t ask for permission, and they most likely won’t even let you know.

While current employees might threaten your security, that risk multiplies for those departing. That makes it unsurprising then that in that same survey, 59 percent of executives consider offboarding and de-provisioning ex-employees “a top security concern.”

Offboarding Is Broken

A recent report found that 83 percent of employees admitted to maintaining continued access to accounts from a previous employer. If that doesn’t shake up your security strategy, what’s even worse: 56 percent said they had used this continued digital access with the specific intent of harming their former employer.

Offboarding is broken. Offboarding is a critical friction factor for organizations leveraging SaaS applications. Can you confidently state that a former employee has zero access to all the SaaS applications they once used? The answer for most is “no.” IT and HR must work hand-in-hand when an employee departs to ensure their access to critical information is revoked. Even when a departure is on friendly terms, it creates incredible risk.

You’re not to blame– SaaS has simply changed the rules. De-provisioning sanctioned applications now requires more. IT must ask, “What other applications were they using?” And that may be impossible to answer without the proper tools.

How To Fix Offboarding & Strategize for Shadow IT

It’s impossible to secure what you can’t see. You need a better set of eyes to improve your IT team’s visibility.

When it comes to SaaS applications, SaaS Management needs to be part of your security strategy. SaaS Management is the usage of tools and services to monitor and discover applications in use at your organization. Tools such as a SaaS Management Platform can discover both sanctioned and unsanctioned applications in real-time, providing a window into the world of your SaaS stack. Once you’ve gained visibility into what (and how many) applications are in use, you can combat their decentralized adoption with a centralized source of truth. That centralized source of truth can evolve how you secure your organization, enabling you to target gaps and keep track of where your organization’s sensitive data lives—especially when employees depart.

This level of insight into application usage is essential as we move towards a SaaS-filled future of work. No different than ensuring the safety of your physical office, SaaS Management provides the information transparency IT requires within the digital workplace. Any experienced security professional will tell you that security is always a game of cat and mouse. As new risks arise, security strategies must evolve and adapt to address them.

Decentralization alters how employees work. The next step is ensuring you have the infrastructure in place to understand your SaaS stack. That starts with making SaaS management part of your security strategy.

Doing so could save you $4.35 million.