How to tackle SaaS sprawl

Unlike on-premise, SaaS applications don't need IT review, approval, and installation.

The prevalence of Software as a service (SaaS) has changed the landscape for most businesses. These companies are now seeing an increased number of unique SaaS applications to achieve their business goals. The global pandemic and the rise of WFH practices have been demonstrated by the fact that enterprise dependence on SaaS products has increased dramatically across every market sector - even traditional laggards like health and finance. SaaS has made traditional security teams blind to actual activity. 

Lior Yaari writes for the security magazine on how to tackle SaaS sprawl issues and what measures should be taken by the IT leaders for the same. 

Here is what he has written:

  • According to Okta, an SSO provider, only 88 apps use SSO in the average enterprise.

  • The first step in building a viable SaaS threat model is to establish and analyze organizational SaaS inventory.

  • It should communicate which apps are operating in an organization's environment and who are using them. 

  • Automation to SaaS security should be brought in.

  • Unlike SSO integrated apps or those hosted on your own server, access to the data stored on SaaS apps is restricted to only the user—the weakest link in your security chain.

  • To be a "mindful" security leader, it's important to consider how you can leverage SaaS security innovations and unify offboarding for all SaaS. In addition, you should be looking to accelerate internal risk assessments and SSO integrations.

  • When discovering new application use within the organization, IT teams are required to detect the administrator of the application itself. 

  • There are also cases where the app itself does not support SSO or requires extra payment for enterprise features, known as the SSO Tax.

  • Employees are increasingly working from home and using their own devices for work. These factors can lead to security risks and need to be accounted for when designing access-management mechanisms.

  • SaaS access managers must enforce coherent access policies and monitor any changes in data flows on their platform.

  • According to a survey by PTC, 59% of experts polled see security as the critical barrier to selecting SaaS solutions. However, this decision-making should not be so complex, and, clearly, IT and security leaders have a lot to do to survive the future's SaaS-dominated landscape.

What We Think

We constantly speak to IT leaders to ask them how they tackle SaaS sprawl, and the most popular answer is to be proactive and use the help of tools like SMPs wherever possible. Given the WFH situations and the number of new SaaS applications popping up daily, the problem of SaaS sprawl will invariably keep raising its head in your organization. However, if you have tools and processes set up in place, it’s a problem that can be controlled.

You can read the full article here.