The Hidden Risks of SaaS
January 12, 2021
5 minute read
To learn more about SaaS security, check out our SaaS Data Security Report 2021: Top Risks in File Security.
Your SaaS environment grows as each well-meaning employee adds another perfect, productivity-boosting SaaS application. But all too often, that new app ends up introducing enormous and unnecessary risks to your company’s SaaS environment. While there are some fairly obvious security and budget-oriented issues to think about, we discuss how the hidden risks of SaaS can impact every IT organization.
In this blog post, we discuss:
- How shadow IT and the number of SaaS apps in your organization are usually underestimated,
- How it threatens budgets and security, and
- Why you need to use a tool that can discover, manage, and secure your SaaS environment.
Your employees use more SaaS apps than you think
According to our State of SaaSOps survey research, when asked about routine SaaS apps searches on corporate networks to find new end user app subscriptions, 31% of IT professionals say they simply don’t do them at all, truly keeping SaaS and risks, well, hidden.
Meanwhile, at the same time, 72% say they’re very certain they know how many SaaS apps their organizations use. But what happens after using automation for full app visibility to learn just how many SaaS apps are running after all?
Upon using automation to discover how many SaaS apps that all employees might use, that real average number of SaaS apps is actually about 3x more than IT estimates.
And if these numbers aren’t concerning enough, BetterCloud Discover trials uncovered:
- On average, companies had 135 redundant apps
- 10% of apps are personal and not enterprise SaaS
- 10% of all apps were inactive with no users over 90 days
- 15% of all apps were inactive with no users over 30 days
So even if you think you have a strong grasp of which applications your employees use, you probably don’t have the clarity on the SaaS clutter you need.
Now let’s talk about how your unknowable and unmeasurable apps imperil your organization’s security posture and IT budget.
Unknown SaaS apps and hidden risks lurk in every organization
SaaS sprawl impacts both budgets and security. Let’s first examine how SaaS can become a financial nightmare.
Unsanctioned SaaS app accounts silently kill SaaS economies
When apps are unauthorized, there is a major downside: With no centralized SaaS app owner, enterprises tend to overpay.
Redundant apps are to blame and they come in two flavors:
- The same SaaS app used in different accounts by different users and teams
- Different applications that solve the same use case.
When the exact same app is used, your enterprise misses out on enterprise or volume-pricing which is the easiest way to cut costs. In addition, you’re probably missing out on preferred features, functionality, and support that comes with higher volume SaaS tiers.
When multiple apps solve the same problem, your enterprise misses out on all of the aforementioned benefits. But it also loses any efficiencies related to SaaS app standardization, like user and IT productivity.
The last silent killer of SaaS economies? Inactive users and underutilization.
Right now, your enterprise probably pays 10-15% more than you should. Think about that for a minute. Say you pay $5,000 a month for a SaaS app. You’re paying at least $500 for licenses where the monthly fee charged to your credit card is the only activity on it.
It’s smart business to stop paying for costly app licenses that you don’t use. It’s also smart business because unknown SaaS can potentially cost your security posture.
SaaS is the modern attack vector
Hackers are a persistent, resourceful, and patient bunch, and your SaaS environment is their playground. Their successful exploitation of it often employs more than one type of attack to accomplish their goals. For example, bad actors will exploit email, file sharing, and risky third-party SaaS apps together in the fight to access your valuable customer data and financial information.
Let’s walk through what could happen when an employee falls for the all too common phishing email.
Phishing opens the door to ransomware
As everyone already knows, bad actors often enter by getting an email recipient to click a malicious link or attachment. But to get the unlucky recipient to complete the fateful action, the bad actor impersonates a trusted contact or another SaaS app.
From here, the bad actor launches a ransomware attack by encrypting files, rendering your important files and current work inaccessible until the ransom payment arrives.
But even if that ransom is paid? Attacks do not necessarily stop. The bad actor continues to spread his hostage demands within a company’s SaaS environment. That bad actor can achieve their maximum-damage goal in more than one way.
Once inside your domain, the attacker uses automated system backup or sync tools to spread the malware that encrypts more and more files. In addition, they can steal a legitimate user’s login credentials and simply upload malware just like any other file that an authorized user can add to your domain.
In no time at all, every stored file in your cloud productivity suite or cloud storage, along with every file with intellectual property or confidential and personal information, is locked up. And unlucky users who download infected files? They could risk locking up on-prem data, as well.
Even if the fraudster isn’t aiming for ransom payments, there are other good ways for them to gain by using a legitimate user’s login credentials.
Account takeover attacks in third-party SaaS apps can compromise multiple SaaS apps and users
Bad actors often exploit vulnerabilities in risky and unsanctioned third-party apps used by employees throughout the enterprise. By breaking into a poorly secured SaaS app loaded with hidden risks, a bad actor grabs login credentials.
The bad actor then proceeds to impersonate a genuine user. Circumventing security controls, they can:
- Determine if login credentials are identical for multiple apps and access those, too
- Act as a genuine user to interact with others in the organization to score valuable information
- Steal information stored in a connected cloud storage or cloud productivity suite via OAuth
Called an account takeover, the fraudster secretly steals with wild abandon for a long time. From stealing money to proprietary information on shared drives, the bad actor grabs customer lists, employee information, and intellectual property of all kinds.
Unsanctioned apps are unknown, and thereby risky, apps
IT and security teams have no visibility into their permissions, much less even know they’re there. Nor do they know their data read/write authorizations. In addition, unsanctioned SaaS applications may have security issues in source code or infrastructure flaws that inadvertently risk your entire enterprise.
And this degree of risk will vary by each SaaS application. However, one thing is certain: The more unauthorized apps an enterprise’s employees use, the larger the security risk.
Use a tool to control your enterprise SaaS and hidden risks
With so many risks constantly threatening your IT budgets and security posture, IT and security professionals must concurrently manage both challenges. Ultimately, the only way to do this is to understand your entire SaaS environment. This includes SaaS apps, usage trends, SaaS costs, and associated risks.
But it’s not enough to use a tool to just search to find unsanctioned SaaS apps. You need to use a tool that provides centralized, comprehensive visibility into all the SaaS apps in your IT environment, empowering you to assess potential vulnerabilities and take action.
To learn more about how BetterCloud can help you discover, manage, and secure your SaaS environment, request a demo.