How to Discover, Manage, and Secure the SaaS Explosion

The explosion of Software-as-a-Service (SaaS) apps we’re witnessing is in response to many companies needing to find ways of dealing with the challenges of remote workers and organizing more and more data and information.

Organizations are using all kinds of SaaS apps to fill every gap and every need, sometimes without regard to security and best practices.

In this article, we’ll look at the current SaaS explosion, the associated security risks, and why leveraging a SaaS management platform like BetterCloud is an ideal way to tackle those unique challenges.

Content Summary

Understanding 
the
 SaaS 
Explosion
Discovering 
Your
 SaaS 
Environment
Crunching 
Some
 (Surprisingly 
High) 
Numbers
The
 Need
 to
 Secure
 SaaS
The 
Threats 
of
 Shadow
 IT
The 
Birth
 of
 SaaSOps
Efficiently 
Managing
 SaaS
The
 World
 of
 SaaS
 Automation
 Platforms
Best 
Practices 
for 
SaaS
 Operations

As the former Microsoft’s CTO Nathan Myhrvold once said, “Software is a gas; it expands to fill its container.” The explosion of Software-as-a-Service (SaaS) apps we’re witnessing is proving the truth of this statement. Organizations are using all kinds of SaaS apps to fill every gap and every need, sometimes without regard to security and best practices.

The situation is even more out of control now that remote working and Bring Your Own Device (BYOD) practices are becoming the norm. In this white paper, we’ll look at the current SaaS explosion, the associated security risks, and why leveraging a SaaS management platform like BetterCloud is an ideal way to tackle those unique challenges.

Understanding 
the
 SaaS 
Explosion

The ease of use of SaaS has been compared to the proliferation of video streaming services. Like video streaming services, SaaS apps generally come at very affordable prices, they’re very easy to purchase and start using, and fill every possible niche. They’re also customer-centric solutions that quickly provide the right answer to all those questions that come up on the spot.

However, SaaS applications are often surprisingly hard to manage—and can rapidly become a pretty serious issue when their numbers become too large.

But before delving deeper into all the challenges of dealing with the SaaS explosion, here’s a deep-dive analysis of why SaaS applications are so popular, as well as some of the top advantages to using them.

• Highly scalable: SaaS apps are among the most easily scalable options for enterprises of any size. Do you need an extra user in your video conferencing app? Easy-peasy. Do you want to add a few more seats for your remote IT monitoring tools? You’re just a few clicks away from adding them.
• Very affordable: One of the reasons why SaaS apps are so popular is that an organization doesn’t need to deal with large upfront costs to implement them. All of the core functions are often available with a small recurring fee. You don’t need that app anymore? You simply stop paying for it.
• Simple to implement: There’s no more need to fiddle with CDs, activation keys, check compatibility with your infrastructure, or set up on-prem servers. You can just use them right away. Also, SaaS apps are OS-agnostic. SaaS apps run in a browser, so they just work, no matter what operating system you are running.
• No need to manually update them: How many security guides list “keeping your software updated” among their best practices? We all do that all the time, but it still is a big chore, isn’t it? SaaS apps are constantly updated by their developers, which means that you don’t have to worry about those annoying unpatched security vulnerabilities. Also, if a new interesting functionality comes up, you usually don’t need to buy an update – you just reap its benefits once it’s available.

Discovering 
Your
 SaaS 
Environment

There’s a decent chance that you aren’t aware of every application that’s in your SaaS environment. In order to maintain productivity during the pandemic, SaaS almost became a requirement for organizations around the world, all of whom needed to pivot quickly to enable their employees to do their jobs from home. SaaS apps were clearly the best option to solve many issues, especially the challenges that IT didn’t have the time (or urgent need) to explore beforehand.

But the situation quickly got out of hand. All too often, IT leaders found that some groups adopted applications on their own—even though the organization already offered an option that would have met their needs. Besides the apps that had been approved and vetted by the IT teams, there’s an endless number of “tolerated” ones; tacitly approved by virtue of not being explicitly forbidden.

But it doesn’t end here. Remote working and BYOD left many employees the freedom to discover and use practically any app (the so-called “shadow IT”) to solve business problems on the spot. There’s no need to explain how risky unsanctioned apps could be. This makes visibility into your cloud-based environment extremely difficult—and it’s more critical than ever to know which apps you have in your environment, who’s using them, and the kind of access those apps have to your company’s data.

Crunching 
Some
 (Surprisingly 
High) 
Numbers

SaaS apps are available to support a variety of use cases—but new options for those use cases pop up on what feels like a daily basis.

Neat, right? Sure, but that doesn’t mean users abandon one app for another in a methodical way. In fact, you probably have more duplicate apps than you realize.

So what’s the extent of the issue? In 2021, the average organization uses roughly 110 SaaS apps. Depending on the number of users in an organization, enterprises generally have 2 to 3 times more SaaS app accounts than they think they do.

In fact, the average company has two or more apps in an average of 25 redundant categories. The hidden costs originating from this lack of visibility can ramp up even more than the perceived savings of even the most scalable solution.

In a nutshell, before attempting to manage or secure them, discovering and auditing SaaS apps should be the first step of your journey.

The
 Need
 to
 Secure
 SaaS

The growing dependence on SaaS challenges even the most robust cybersecurity strategy. As the world slowly reopens for business, it is becoming even more rampant.

In the aftermath of the COVID-19 pandemic, file security violations alone are skyrocketing. The 2021 Data Breach Investigations Report conducted by Verizon notes that 39% of the attacks they studied were on web applications. In such a dire scenario, SaaS apps represent an unaffordable vulnerability if they’re not secured properly.

The 
Threats 
of
 Shadow
 IT

Shadow IT is one of the most challenging problems faced by many IT admins. With SaaS sprawl and without a comprehensive management tool, it’s hard to know where a company’s sensitive data lives. These applications are built to ease collaboration between users, files, calendars, groups, emails, addresses, documents—and all types of sensitive data could end up being shared unintentionally.

Data can be exposed or shared with competitors with or without users noticing. In other words, IT may not know there has been a breach. User behavior is a major factor in creating vulnerabilities in an organization’s data transfer security policies, especially when users are working remotely and cannot be supervised. Unsurprisingly, more than 70% of enterprises claim their biggest concern is the well-meaning but negligent employee.

Visibility issues cannot be underestimated either. Close to 50% of companies say their top security concern is not knowing where sensitive data lives. Employees adopt unsanctioned apps in good faith, thinking they can improve their job performance. They don’t want to have IT breathing down their necks each time they install the tiniest app.

While it would be nice to allow that flexibility and independence, giving employees carte blanche access to choose and use whatever apps they want actually increases the dark shadow cast over your organization by shadow IT. When a single file is shared by an employee lacking the knowledge or training to protect sensitive data from leaks, the effects impact the whole SaaS environment.

A single user’s app data can and will be shared by many apps if left unchecked. For example, a simple lead scored in a market automation platform can become a record created in Salesforce. From there, it’s sent to users in Slack in the form of a notification, which is also shared to Office 365. Now, try imagining what’s going to happen within the intricate web of additional unsanctioned apps installed by various users. See where all this is going? Bottom line: your vulnerability spreads quickly and with ease.

The 
Birth
 of
 SaaSOps

In the wake of this endless list of dangers and threats, a solution was found in the form of SaasOps -a new discipline that could easily represent the next step in cutting-edge cybersecurity operations. SaaS applications now account for 70% of total software usage for most companies, and this number is going to reach up to 85% by 2025. Having a dedicated platform to deal with all of them is going to be a necessity rather than just a wise choice. But SaaS management platforms (SMPs) are not just there to improve security – they’re a critical asset to improve efficiency in management operations. Which brings us to the next chapter.

Efficiently 
Managing
 SaaS

Managing user accounts, onboarding, offboarding, and all the tasks associated with user lifecycle management (ULM) is a chore made even more tedious and complicated by the uncontrolled growth of SaaS apps. These tasks contributed to the fragmentation of the ULM process as new employees lack access to the most important apps, role changes need to be constantly updated across the whole SaaS environment, and former employees need to have their privileges removed to avoid keeping access to sensitive data.

Most offboarding workflows, for example, can require an average of 60 steps, 7.12 hours, and an untold number of security risks as the growing number of apps make IT admins susceptible to errors and oversights. Without automation, SaaS management requires hopping back and forth into dozens of individual admin consoles—and it’s certainly not sustainable or scalable.

The
 World
 of
 SaaS
 Automation
 Platforms

While automation in IT tasks is not a new concept, more than one-third of surveyed IT experts spend half a week or more bogged down with manually managing SaaS apps. On the other hand, automated SaaSOps platforms like BetterCloud can make offboarding faster by up to 151% for companies of more than 500 employees. In most cases, the process can be reduced to less than 1 hour, and the same goes for onboarding and employee status change tasks.

As the IT world evolved towards the widespread adoption of SaaS solutions, the role of IT teams must change accordingly. To put it bluntly, since it’s quite clear that IT teams are currently insufficient to tackle all SaaS operations, companies must either scale IT staff alongside apps (which is highly unrealistic in most cases), or turn to automation.

Even better, as more tasks become automated, the less likely an IT administrator is to make an error. Centralization means keeping everything monitored and managed in a single place. Visibility is not an issue anymore, and redundant or unnecessary apps can be easily identified.

Best 
Practices 
for 
SaaS
 Operations

Embracing some best practices for SaaS management can make it much easier to succeed with this new incredibly useful technology. Adopting these simple steps might be your best strategy to mitigate SaaS security issues, streamline your data flow, avoid hidden costs, and improve the efficiency of your SaaS environment.

Choose the Right People

SaaS operations are not like on-premises ones in many ways. The IT team must share responsibilities with the vendor, and the skills you need to have on board to manage SaaS operations are different from those required for on-premises operations. Make sure to choose the right team, and equip them with the correct skills, knowledge, and tools to avoid inconsistencies and issues. You might even think about creating a separate group that focuses entirely on SaaS.

Automate Your SaaS Operations

We’ve already explained why the need for automation is so urgent when it comes to SaaS-rich environments. In a nutshell, there’s too much going on to manage it effectively without the help of Al and automation. Especially when things start scaling up and your organization is maturing, the new demands of the more complex landscape will make it necessary to centralize and automate everything within a single platform.

Ensure App Visibility

You need to know what’s going on at all times. Using a tool to search for unsanctioned apps is a good place to start, but it might not be sufficient, especially if you have to deal with BYOD and remote workers. Use a tool that can discover, manage, and secure the SaaS apps used by your employees, and then take action by auditing all permissions granted to unauthorized SaaS apps. This brings us to the following point, which is:

Establish Clear and Transparent Governance

Your established data governance must be on par with the permissions granted to each user and unsanctioned app. The right governance responsibilities across all touchpoints must be established to define who has authority and control over the most important data assets. This will not only minimize risks of data leaks and losses, but will ensure consistent decisions and execution of business processes.

Beware of the Zombie Horde

The more apps you have, the higher the chances of having unnecessary or redundant ones. Monitor usage and costs to keep track of those that are truly useful, and discard zombie assets. Consolidate all duplicates and establish a standardized protocol for integration into your technology stack to make sure new apps are chosen only when they can truly bring value to your business.

Get the Best of Both Worlds

Traditional security systems such as security event managers, intrusion detection, and firewalls are still a critical weapon in your cybersecurity arsenal. However, it’s not infrequent for them not to be properly configured to protect SaaS environments. Leverage your SecOps experience and skill to make sure they know how to deal with all the new potential vulnerabilities that come with the territory in a SaaS-dominated landscape.