The pandemic has forced a lot of organizations to expedite plans to adopt a remote or hybrid working model. This is causing significant changes for organizations, including how they recruit and retain employees and how they procure technology. Since the start of the pandemic, public cloud spending has boomed and according to Gartner, is forecast to exceed 45 percent of all enterprise IT spending within the next five years. We are predicted to see end-user spending on public cloud services reach $482 billion in 2022.
Jennifer Kuvlesky is Senior Product Marketing Manager at Snow Software.
Software as a service (SaaS) is the largest market segment of this sector. It’s no surprise when we consider the convenience and flexibility that SaaS offers, but with this sudden growth and increased SaaS reliance comes new risk around data access, identity theft and control over information. Organizations are now scrambling to shore up security and take action to mitigate these potential threats.
According to a recent report from Snow Software, 92% of organizations are migrating or have already moved to hybrid work. The recent exponential growth of SaaS has been driven by the business need to provide remote workforces with the tools they need, including access to applications, in order to maintain, or indeed increase, productivity levels in the face of the pandemic.
The difference between SaaS and traditional, installed applications is that installed apps have mechanisms for controlling access, such as application blacklisting (anti-virus) and whitelisting. With SaaS, the availability and access to unknown applications is an open invitation to data security risks and possible GDPR, HIPAA and PCI compliance failures, not to mention costly application sprawl. Adding fuel to this fire is shadow SaaS, when individual employees use and/or directly purchase SaaS software outside of standard procurement checks and processes.
The darker side of SaaS
Data security
With the majority of organizations having to fast-track remote working in order to maintain productivity in lockdown, thorough risk assessments fell by the wayside. Cybercriminals have been quick to take advantage of the shift to the cloud and the common misunderstanding that cloud providers ensure security. The reality is data security is a shared responsibility. It is the responsibility of the SaaS provider to have baseline controls in place to ensure their platform protects users’ data and it is IT’s responsibility to check that the SaaS provider does in fact have good security policies in place. If IT is unaware of applications in use, then they are unable to vet the risk of these providers or how they interface with other organizational IT. IT also needs to make end users aware that they have a part to play, with clear guidelines and procedures around the use of common passwords or uploading company data to SaaS applications without prior approval, and the consequences if they do.
Compliance failure
Another area of risk is data privacy. There are a growing number of international and national regulations around this and failure to comply can result in exorbitant fines. Take HIPAA, for example. Healthcare organizations must obtain a business associate agreement from providers who store, create, receive, maintain or transmit PHI. The business associate agreement provides assurances of how the provider will safeguard PHI data. To obtain this agreement, organizations must be aware of all the applications employees are using that are storing, transmitting, creating and receiving PHI. There are numerous examples of organizations being fined for not assessing provider risk by obtaining a business associate agreement.
SaaS sprawl
In addition to data security and compliance risks, budget is top of mind for IT and the C-suite. Cloud application sprawl is a common result of shadow SaaS. When individual users sign up to use their own software, redundancies occur, and individual use licenses fail to benefit from economies of scale. Organizations may find they are unwittingly outside of license compliance and facing true-up charges from app providers that have not been budgeted for. This has become a much bigger issue since the advent of fully remote and hybrid work employees. In the same Snow Software survey, 73% of IT leaders told us their SaaS investment had increased in the last 12 months and nearly half said controlling SaaS sprawl is their biggest challenge.
Three steps to reduce your risk
End users with access to the internet can sign up for any SaaS application but there are three ways to increase visibility and reduce your organization’s risk, without impacting productivity.
1. Make it easy for employees
Users are used to going to an App Store to get what’s needed for their phones. Provide a similar experience for employees to make it easy for them to find what they need from your approved suppliers and request a subscription through your organization. By offering employees a place to get their applications, you are removing the risk of redundant software and providing a level of automation to manage licenses. When assigning a license, you can indicate if it goes unused, and the license will be automatically reclaimed.
2. Uncover SaaS apps in your organization
You need visibility of the apps in use in order to determine if the application providers have the right level of security controls in place. Leveraging browser extensions on user devices can help you assess SaaS applications, by department use, and by potential risk. Remember that not all software requires a license and using financial data for software inventory alone will not capture free application usage. If you are unable to obtain a discovery technology to uncover shadow SaaS, assess who in your organization has access to sensitive data (engineering teams, analytics, sales and marketing operations, finance, customer service) and talk to those users to find out what applications they are using.
3. Open up the conversation
Once you know the applications employees are using, you can have conversations with users about why going outside of policy to use free or licensed applications creates risk for your organization. By opening up the discussion to become a two-way dialogue you will also learn about their requirements and will be better equipped to partner with them on identifying safe solutions.
Without doubt, SaaS use is meeting demand, keeping businesses moving and enabling a new style of working. But with it comes fresh challenges and a need to proactively govern its use. IT teams need to engage their organizations and change how they work to maximize authorized SaaS use, while reducing the risks that shadow SaaS brings.
