8 ways companies can manage risks brought on by the SaaS Tsunami

Every employee is on a mission to find the next SaaS application that will make their job easier.

1 tsunami
Credit: Thinkstock
Shadow IT

Every employee is on a mission to find the next SaaS application that will make their job easier. With nothing more than a credit card and an expense report, anyone within the organization can sign-up for a new application in minutes.

The problem is that employees are signing-up for SaaS apps without the knowledge or permission of their IT administrator. According to Gartner and Cisco, IT pros only know about 7% of the apps in use. Meaning, within any given organization, there are hundreds of unsecured SaaS apps, each a potential entry point for hackers to access your corporate data.

As the enterprise applications market expands, the number of unmanaged SaaS apps is going to continue to grow, making it increasingly more difficult for companies to contain the security and compliance risks. With this in mind, Al Sargent, senior director at OneLogin, provides ways companies can manage the risks brought on by a SaaS Tsunami.

Follow the money
Credit: Thinkstock
Follow the money

Rather than discouraging employees from purchasing the applications they need to be more efficient, IT should work with finance to create a “SaaS subscription” expense category. IT will then have a better understanding of which cloud apps are in use, so they can be more effective in maintaining and strengthening security.

3 collaborative
Credit: Thinkstock
Build a collaborative culture

Employees are always going to find ways to access their favorite apps, which is why the complete restriction of outside applications is an ineffective way to reduce shadow IT. Instead, IT should be open to employees who request to use new productivity or communication applications -- and offer to put them into a Single Sign-on (SSO) portal for faster access. When employees feel comfortable requesting to use a certain application, and IT makes it easier to access, IT will begin developing a more thorough understanding of which tools they need to secure for professional use.

4 secure
Credit: Thinkstock
Secure the premise

Once IT determines which apps are preferred by employees and puts them into an SSO portal, IT needs to begin enforcing strong authentication around password complexity, rotation, and uniqueness; as well as around multi-factor authentication (MFA). An SSO portal should be part of a larger identity access management (IAM) solution that allows companies to monitor who is accessing which applications while ensuring each employee only has access to the apps and information they need to do their job.

5 behavior analytics
Credit: Thinkstock
Deploy user and entity behavior analytics

IT should integrate their IAM with a cloud access security broker (CASB) to look for anomalous behavior at their company; for instance, one identity accessing an app from two different countries. This way, when a CASB detects one of these behaviors, it can automatically take appropriate steps, including requiring MFA, terminating a session, forcing a password reset, and/or disabling an account.

6 app usage
Credit: Thinkstock
Track app usage

With hundreds of unmanaged apps in use, it’s not rare for former employees to maintain access to company information without the knowledge or consent of the IT department. Roughly 10% of former employees can access accounts of their former employers. For this reason, IT should connect their IAM to a security information and event manager to monitor for unauthorized user access of apps, and ensure that only authorized users have access to company apps.

Implement HR-driven IDaaS
Credit: Thinkstock
Implement HR-driven IDaaS

Further, IT and HR departments should work together to create a application deprovisioning plan for when employees leave the company, which includes HR-driven IAM. Once implemented, when HR changes an employee’s status to “departed” in their HR Information, the IAM automatically picks up these changes and revokes access to applications. This reduces the chances that any accounts are missed.

8 app control
Credit: Thinkstock
Apply app control

While encouraging employees to bring forward their SaaS applications is a crucial step in reducing shadow IT, not every app is appropriate for exchanging and accessing company data. Oauth apps are especially challenging, since their streamlined user experience makes them easy to adopt. Yet some have extensive authorization scope, such as the ability to completely modify all of a user’s files, which can easily be an attack vector for a hacker. IT should use a CASB to track Oauth app usage, and block apps with excessive authorization scope.

9 prioritization
Credit: Thinkstock
Data prioritization

Although you’ve taken the necessary steps to manage the SaaS Tsunami, shadow IT will always be a risk factor. Determine your 25 most sensitive data assets, know who and which applications can access these data sets, and monitor them regularly with your IAM and CASB solutions to look for anomalous behavior.