This past January, a SaaS Security Posture Management (SSPM) company named Wing Security (Wing) made waves with the launch of its free SaaS-Shadow IT discovery solution. Cloud-based companies were invited to gain insight into their employees’ SaaS usage through a completely free, self-service product that operates on a “freemium” model. If a user is impressed with the solution and wants to gain more insights or take remediation action, they can purchase the enterprise solution.
“In today’s economic reality, security budgets have not necessarily been cut down, but buyers are far more careful in their purchasing decisions and rightfully so. We believe that you cannot secure what you do not know, so knowing should be a basic commodity. Once you understand the magnitude of your SaaS attack layer, you can make an educated decision as to how you are going to solve it. Discovery is the natural and basic first step and it should be accessible to anyone.” said Galit Lubetzky Sharon, Wing’s Co-Founder and CTO
The company reported that within the first few weeks of launching, over 200 companies enrolled in their self-service free discovery tool, adding to the company’s existing customer base. They recently released a short report on the findings from hundreds of companies that unveiled SaaS usage, and the numbers are unsettling.
The Tangible Risks of Growing SaaS Usage
In 71.4% of companies, employees use an average of 2.4 SaaS applications that have been breached in the past three months. On average, 58% of SaaS applications are used by only one employee. A quarter of organizations’ SaaS users are external. These numbers, along with other interesting data, are found in the company’s report, along with explanations as to why they believe this is the case and the risks that should be taken into consideration.
SaaS usage is often decentralized and difficult to govern, and its advantages can also pose security risks when ungoverned. While IAM/IM systems help organizations regain control over a portion of their employees’ SaaS usage, this control is limited to the sanctioned SaaS applications that IT/Security knows about. The challenge is that SaaS applications are often onboarded by employees without involving IT or security teams. In other words, this is SaaS Shadow IT. This is especially true for many SaaS applications that don’t require a credit card or offer a free version.
images from Hacker News
Recent Comments