Security and IT Teams No Longer Need To Pay For SaaS-Shadow IT Discovery

Mar 04, 2023The Hacker NewsSaaS Security / Cyber Security

This past January, a SaaS Security Posture Management (SSPM)
company named Wing Security (Wing) made waves with the launch of its free SaaS-Shadow IT discovery
solution^[1]. Cloud-based companies
were invited to gain insight into their employees’ SaaS usage
through a completely free, self-service product that operates on a
“freemium” model. If a user is impressed with the solution and
wants to gain more insights or take remediation action, they can
purchase the enterprise solution.

“In today’s economic reality, security budgets have not
necessarily been cut down, but buyers are far more careful in their
purchasing decisions and rightfully so. We believe that you cannot
secure what you do not know, so knowing should be a basic
commodity. Once you understand the magnitude of your SaaS attack
layer, you can make an educated decision as to how you are going to
solve it. Discovery is the natural and basic first step and it
should be accessible to anyone.” said Galit Lubetzky Sharon, Wing’s
Co-Founder and CTO

The company reported that within the first few weeks of
launching, over 200 companies enrolled in their self-service free discovery tool^[2], adding to the company’s
existing customer base. They recently released a short report on the findings^[3] from hundreds of
companies that unveiled SaaS usage, and the numbers are
unsettling.

The Tangible Risks of Growing SaaS Usage

In 71.4% of companies, employees use an average of 2.4 SaaS
applications that have been breached in the past three months. On
average, 58% of SaaS applications are used by only one employee. A
quarter of organizations’ SaaS users are external. These numbers,
along with other interesting data, are found in the company’s
report, along with explanations as to why they believe this is the
case and the risks that should be taken into consideration.

SaaS usage is often decentralized and difficult to govern, and
its advantages can also pose security risks when ungoverned. While
IAM/IM systems help organizations regain control over a portion of
their employees’ SaaS usage, this control is limited to the
sanctioned SaaS applications that IT/Security knows about. The
challenge is that SaaS applications are often onboarded by
employees without involving IT or security teams. In other words,
this is SaaS Shadow IT. This is especially true for many SaaS
applications that don’t require a credit card or offer a free
version.

The common scenario is that of an employee, often remote,
looking for a quick solution to a business problem. The solution is
often an application that the employee found online, granted
permissions to (these can be read and write permissions, or even
execute), and then completely forgot about. This can lead to
several security risks.

SaaS related risks can be categorized into three
different types:

Applications related

Examples include risky applications with a low security score,
indicating a higher probability that these applications are
vulnerable. And applications that have recently been compromised
but have permissions into the organization’s data, immediately
compromising that data. In its free solution, Wing attaches a
security score to each application found and alerts users to the
risky applications in their SaaS stack.

Other examples of the risks that SaaS applications inherently
bring include 3rd party SaaS applications, those that “piggyback”
off the known and approved SaaS. Or applications that were granted
high permissions that are rarely given: According to Wing, 73.3% of
all permissions that were given to applications by the users were
not in use in over 30 days. This begs the question, why leave open
doors into your organization’s data when you’re not even using the
application that is asking for them?

Users Related

One cannot ignore the human factor. Afterall, SaaS is often
onboarded directly by the employee using it. They are the ones
granting permissions, not always aware of the meaning behind these
permissions. Here too Wing’s free solution offers some assistance:
For the first 100 applications found, Wing provides a list of the
users who use them. For full information as to who the users are,
external users and user inconsistent behavior across applications,
Wing offers its enterprise edition.

Data Related

The risks associated with data security are vast and have a
whole category of products that deal with them, such as DLPs and
DSPMs. However, when it comes to the SaaS applications that
employees use, data related issues can span from sensitive files
being shared on applications that are not meant for file sharing,
secrets shared on public channels (Slack is a common example) and
even the massive amount of files that employees share externally
and then forget about, leaving that external connection wide open.
Keeping a clean SaaS-environment consists not only of maintaining
the applications and users, but also managing the information that
resides in and between these applications.

In conclusion, SaaS-Shadow IT discovery has become a critical
area of concern for IT and security teams, as the usage of SaaS
applications continues to grow rapidly. While SaaS applications
offer numerous benefits to businesses, they also pose significant
security risks when ungoverned. These risks include the use of
breached applications, granting excessive permissions, user
inconsistencies, and data security issues.

It is crucial for organizations to have visibility into their
employees’ SaaS usage to make informed decisions and take remedial
actions to mitigate these risks. In 2023, the expectation is that
basic SaaS-Shadow IT discovery should no longer come at a cost, as
it should be a fundamental commodity for organizations aiming to
secure their SaaS environment.