The Top 3 Problems Cloud-first Organizations Face Every Day When Using SaaS Software
In recent years, businesses have begun to adopt a cloud-first approach with increasing frequency when it comes to IT technologies. The major driving forces behind this change are the ease of use, availability, scalability, and cost-effectiveness of this approach. The vast amount of cloud services out there are required to introduce different categories to allow users to better understand the nature of the service. Some of the most renowned categories include SaaS (Software as a Service), IaaS (Infrastructure as a Service), PaaS (Platform as a Service), FaaS (Functions as a Service), and DaaS (Data as a Service). While all of the aforementioned models are popular, SaaS most likely comes to mind when one thinks about cloud software. This is the category that the majority of companies and employees work with directly.
As one might imagine when considering its popularity, there are many benefits to using SaaS apps. For the most part, SaaS is incredibly easy to set up; generally, only a simple registration and a credit card are necessary to begin using the software. Depending on the type of software, SaaS might require some type of integration with other systems. However, there is usually nothing to install on-premise.
Furthermore, SaaS can be cost-effective, especially in the short-term. Usually, the upfront cost is low or even zero. What’s more, the maintenance and deployment costs are usually much lower compared to an on-premise solution—however, mid or long-term TCO calculations might paint a different picture. With SaaS, there is not much to configure locally. Many times, the decision about which software to use happens on an individual or department level rather than going through the corporate procurement process.
SaaS’ built-in scalability and availability is also a big plus. As the business—or simply the usage of the app—grows, most SaaS apps are ready to accommodate the increased demand. The vast majority of the SaaS players also leverage cloud technologies to run their services on, which can result in a very high level of SLA when it comes to availability.
It’s clear to see that SaaS apps and cloud technologies provide many advantages over a traditional on-premise approach. However, despite the clear benefits, there are also many difficulties that SaaS app usage can cause organizations.
SaaS presents three major problems for organizations.
1. You don’t know what you don’t know.
As mentioned earlier, it’s very quick and easy to begin using cloud-based software. Any employee with a corporate email address can register and start to explore the possibilities of the service. Despite being very simple, this presents a problem for the organization. It’s very possible that an employee could “go rogue” and sign up for the service without the organization’s knowledge or consent. As these SaaS apps are not under centralized IT management, the accounts created there are unknown and unmanaged, too. Some offer Single Sign-On or similar features to integrate with centralized identity management systems, however, that’s something that isn’t available with the vast majority of the services, or comes at a substantial extra cost.
This raises quite a few questions:
- What happens if the employee leaves the company? They might still have access to software and services that might store or process sensitive information.
- What data is stored on the platform, how it is processed or shared? If the use of the software is unknown from an organization’s point of view, there is almost zero chance for the company to properly manage the relevant data usage policies.
- What policies and agreements does the SaaS vendor provide? Privacy policies, data handling, regulation policies, third-party sharing, and SLAs all matter. This is especially important with the admission of general regulations such as the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).
With this information in mind, just how big is this issue?
Every organization is different, and the scale of this issue depends on the company’s size and business profile. In general, this is considered a major problem, yet it might currently be unknown or swept under the rug. According to different reports, an employee has access to tens of such cloud applications, while companies use hundreds of cloud apps on average. In the case of an enterprise, this can range to thousands of cloud apps, all presenting issues in regards to company data management and privacy. This means that even smaller organizations can face these large-scale problems, accumulating thousands of online business web accounts, and large enterprises can have tens of thousands such accounts.
2. Management nightmare.
Even if a company hasn’t fully realized the large challenges and risks presented by SaaS accounts, it might instead face SaaS-related management issues on a day-to-day basis. Sooner or later, users will present questions or requests related to a given service. Managing such requests can be problematic if the service or software in question is barely known by the IT department. Common user inquiries involve potential login issues, integration help, and usability questions, just to name a few.
There might also be other requirements to create an inventory of the service, even if they are free and don’t directly cost the organization a penny. For instance, if an audit requires you to list the online web applications along with their nature, policies, and agreements, manually gathering this information is an extremely time-consuming and sometimes impossible task.
It’s also appropriate to mention an earlier question: what happens if an employee leaves the company? It’s a fairly easy process to disable the employee’s account in the central IT systems such as the Active Directory, email servers, etc. However, what about those third-party web apps? How will the administrator accurately determine what services the employee had access to?
Most of these accounts are created ad-hoc and on-demand by the employees themselves. The vast majority of such accounts are used for short periods before being left unused and unmonitored forever, which further increases the management overhead. On top of all of this, these accounts are often shared among employees, creating ownership and accountability issues.
3. Passwords, passwords, passwords.
The use of SaaS accounts presents many direct IT security risks as well, the largest and scariest problem being passwords. Let’s be honest—users don’t like passwords, especially complex passwords. As a result, they tend to use weak passwords or reuse corporate credentials when they create or update their accounts. For the latter, the rationale from their point of view might be that they consider this access to be corporate in nature, so they use the same password as the one they used for their corporate email, VPN, etc. Even if they do their best to use unique and complex passwords, billions of accounts are breached every year.
The SaaS market is extremely competitive, and most SaaS vendors’ development processes are feature-driven, while security is only secondary at best. Of course, there are many vendors who put more effort into the security of their infrastructure and product. Even if that’s the case, vulnerabilities—even zero-day ones—exist, which hackers can take advantage of to gather login information and other sensitive data. Breaches and password reuse are the main culprits for account takeover (ATO) attacks, as leaked credentials can be used to gain unauthorized access to corporate resources.
Credential-related threats and attacks are one of the most widely-used vectors by attackers. This has been proven true countless times by researches and reports in the industry. Credential stuffing is one of these techniques: stolen or otherwise compromised account credentials—typically in a database or list format—are used to gain unauthorized access to resources using highly-scalable automation processes. For instance, an Akamai report in 2017 says:
43% of all logins seen by Akamai were attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet.
Or, in Verizon’s most recent Data Breach Investigations Report, the use of lost or stolen credentials is at the top of the list:
Over 80% of breaches within hacking involve brute force or the use of lost or stolen credentials.
Conclusion
Despite these risks, the use of cloud-based business software and services is not discouraged. According to the trends, this is the direction in which organizations are headed. The key takeaway is that when the cloud-first approach is adopted, it must be supported with proper management processes, protocols, and security practices, including discovery and regular audits.
About Scirge
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.