How to Avoid a SaaS Security Disaster

Properly managed, the combination of shadow IT and SaaS can make companies more agile and competitive. But the security risk is very real.

istock 636609180

IBM and IDG Content

Software-as-a-service (SaaS) and shadow IT have an almost perfectly symbiotic relationship. Individual business units can easily sign up for cloud-based SaaS offerings without purchasing and deploying hardware and – often – without consulting their corporate IT departments.

The ease and speed of SaaS adoption can deliver many business benefits, including greater business unit agility and innovation. But rampant and random SaaS deployments can also expose companies to significant security risks. All too often, employees are placing sensitive data in the cloud without having any sense of a SaaS provider’s security and data handling policies or practices.

Many organizations are only belatedly recognizing that they need to do a better job of managing these SaaS-related risks. Although one possible approach is clamping down hard on shadow IT deployments, not only is this strategy difficult to police, it can undermine the very real benefits that shadow IT can deliver.

Indeed, a recent IDG/IBM survey of 200 organizations with revenues of $500 million or more found only 20% of the respondents want to prevent shadow IT. By comparison, 41% would like to better control and manage shadow IT, and 39% want to embrace the practice and capitalize on its efforts and accomplishments.

The Solution to SaaS Security

With shadow IT here to stay, organizations that want to assess their exposure to SaaS-related security risks need to start by surveying the SaaS usage across their employee base. This assessment may prove to be eye opening. In late 2016, Skyhigh Networks, a vendor of cloud access security brokers and other cloud security services, surveyed the activity of more than 30 million users at more than 600 of its enterprise customers. It found that the average company was using 1,427 cloud services and was uploading 18.5 TB of data to cloud applications each month.

Fortunately, determining SaaS usage across an organization isn’t as challenging as it might seem. IBM, for example, offers a tool, Cloud Discovery App for QRadar, that detects and reports this usage. Organizations can also require that their employees report their SaaS app usage, while educating them about the importance of this self-governance.

More challenging than surveying the SaaS activity throughout a company, however, is assessing the security risks associated with each of the thousands of SaaS offerings that exist today. A starting point is to look for various security certifications that SaaS providers may have achieved. The Cloud Security Alliance, for example, provides multiple certification levels as part of its CSA Security, Trust & Assurance Registry (STAR) program.

To keep pace with ever-evolving threats and risks, however, organizations need to leverage threat intelligence services that constantly monitor the web for cyberattacks, suspect IP addresses, malware, and other dangers. IBM’s X-Force service, for example, tracks approximately 860,000 malicious IP addresses, monitors 270 million endpoints for malware, and identifies 8 million spam and phishing attacks on a daily basis.

Properly managed, the combination of shadow IT and SaaS can make companies more competitive, increase innovation, and empower agility. Left to its own devices, however, this potent combination can prove a very dangerous mix.

Click here to learn more about IBM’s approach to multi-cloud.