What is a SaaS Inventory and why is it of rising importance?
On average, organizations use hundreds or even thousands of cloud web apps (SaaS or other web-based apps and cloud services). Without dedicated tools, it’s impossible to keep track of such numbers, which can quickly result in security risks, compliance issues, overhead costs, and a management nightmare in general! This is what is called Shadow IT. A cloud web application is different from a simple website in that it requires an account to access the platform. This can be SaaS software, a web service, or any kind of web-based application.
To have full visibility into Shadow IT and the SaaS cloud-based web apps used by employees, three levels of intelligence should be gathered:
- App-level Cloud Web App and SaaS inventory
- Account-level Cloud Web App and SaaS inventory
- Person-level Cloud Web App and SaaS inventory
At Scirge, this is what we call the 3-dimensional inventory, or the cloud footprint of the organization. Scirge transparently provides this without any user interaction using centrally-managed policies – ensuring that no private information is collected or monitored.
Why is it important to have an inventory of SaaS and cloud web services?
There are many reasons:
- Having a central inventory of all cloud web apps used by employees can help mitigate Shadow IT risks and reduce credential-related threats such as password reuse and account takeover.
- The organization-wide SaaS inventory can help with employee onboarding and offboarding (i.e., if an employee leaves, it can be quickly enumerated what tools were used. This way, access can be terminated on third-party web apps as well).
- Web applications that are hosted in risky or unregulated regions should not be used to process sensitive corporate data.
- Cloud web apps and SaaS services with bad certificate settings, blacklisted domains, or otherwise untrusted reputation should not be allowed. These are fairly common with the long tail of SaaS web apps used within organizations.
- When employees use overlapping services (either free or paid), it creates inefficiencies and non-standard business processes. Shadow IT discovery can help to streamline internal procedures and policies.
- Business-critical tools, services, and accounts should be considered for business continuity and disaster recovery.
- Compliance and regulatory guidelines such as Zero Trust or CIS require an inventory of all enterprise assets, including apps, accounts and identities. This includes both SaaS and cloud-based web services. For this, a cloud web app and SaaS inventory is needed that can only be gathered using a continuous and automated Shadow IT discovery policy.
App-level Cloud Web App and SaaS Inventory
This layer of intelligence provides information about the web applications used within the organization. Here, it’s crucial to go beyond a simple domain or URL list as that alone will not provide the granularity of information to make business decisions. Existing IT infrastructure elements are very limited when it comes to this as they lack deep visibility, especially in relation to Shadow IT services. For instance, a web proxy might log the web usage, perhaps along with a URL category, but that alone is not enough.
The Scirge platform can detect where employees use corporate emails as credentials to log in or register on websites. Scirge doesn’t rely on databases of well-known list of apps, hence can detect any third-party web applications, even if it’s a fully custom build in-house one. This is what is called a true Shadow IT discovery. Scirge will also gather valuable information locally by analyzing the visited websites and show these in the form of metadata. These can include the title and description of the web apps, automatic collection of privacy policies, terms and conditions, and social links. This can be further enhanced with the use of Scirge Horizon Cloud Intelligence to check for potential issues such as SSL certification issues, domain age, and web server location.
Scirge shows the accounts for each web app, along with usage statistics and timestamps. Scirge also shows the people who accessed the given web app using any of the accounts.
Account-level Cloud Web App and SaaS Inventory
The accounts layer of intelligence shows the exact details of each and every account that were used to register or log in to any third-party web apps. With this information, Scirge not only shows what apps are used but can also go a deeper level, showing the parameters of the accounts, including the email address, the app URL, the login domain, usage statistics and timestamps. Shadow IT accounts can be revealed automatically using centrally managed policies. Password hygiene checks can automatically run to detect weak passwords, or passwords on a custom blacklist or don’t comply with the custom-defined password complexity requirements. Password reuse detection happens automatically, including the detection of corporate password reuse (Active Directory/LDAP). Using the Horizon Cloud Intelligence will further enhance this with common and breached password detection capabilities.
Person-level Cloud Web App and SaaS Inventory
The people layer of intelligence completes the 3-dimensional cloud-based web app & SaaS inventory. With person-level information, Scirge can show the accounts and apps used by each employee with detailed information such as account and app details, usage statistics and timestamps. Having this level of information also helps to pinpoint a myriad of other potential issues and Shadow IT risks, such as shared accounts, identity misuse, corporate (AD/LDAP) password reuse – just to name a few. The person-level cloud-based web app and SaaS inventory can also help for internal and external audits as it’s just a matter of a few clicks to gather the information on what web apps were used by a given employee using corporate accounts.
Read our related blog posts: