Ask anyone in IT: Software as a service (SaaS) is a good thing.
You save money by paying as you go; you save time by offloading installation, maintenance and updates; you save resources by getting a ready-to-go application that works easily with your system. This is why SaaS has seen sixfold growth since 2015 and will account for 85% of software used in enterprise by 2025, according to research.
But too much of a good thing can be bad. A Ponemon report shows that more than 50% of organizations have experienced a data breach caused by a third-party app or service and that the cost of data breaches increases if they involve a third-party app or service.
The security of cloud-based third-party apps is only as good,– or as bad– as the security systems of the organization responsible for those services. There are also a growing number of fourth-party apps. For example, a scheduling solution integrated into a business communication platform such as Slack – with the added productivity benefits comes yet another player to account for in the organization’s security posture.
One of the biggest challenges to getting a handle on SaaS security is the inherent lack of visibility. With the growth of Product-Led Growth, end-users – not the traditional software buyers – adopt SaaS products first. And in many instances, security and IT teams only become aware later of the new SaaS product.
Studies show that employees in large organizations use an average of 177 SaaS applications, and those are just the ones IT knows about. How many employees really use these apps, especially outside the office and/or on personal devices, is anyone’s guess.
With the democratization of SaaS app usage, the consequences of security challenges are growing by the day. Recent SaaS breaches that caused financial or reputational damage include hackers using Slack to trick an Electronic Arts employee into providing credentials, enabling them to steal some 780 GB of data, including the source code for FIFA 21, one of EA’s biggest selling games.
According to the hackers, they were able to pull this off by buying a $10 cookie on the Dark Web that enabled them to gain access to an internal Slack EA channel. And with that “trusted” connection, they convinced IT support to log them into the system.
Instagram business users also found themselves at risk when hackers stole their passwords from Social Captain, an app that claims to help users get more followers. Hackers accessed Instagram passwords because Social Captain was allegedly storing them as unencrypted text, and a website bug allowed anyone accessing an account via the app to log into the associated Instagram account without authentication.
In addition to violating privacy, such third-or fourth-party based hacks can be a matter of life and death, as evidenced by the hack of Tesla vehicles via the third-party app, TeslaMate.
Although the teen hacker who discovered the access flaw did not gain control of the wheel or braking system, he was able to unlock doors, open windows and even start Keyless Driving. And most alarmingly, given the massive number of third- and fourth-party apps and people working remotely, similar things could be happening on a daily basis.
So is there anything organizations can do? One approach is to create a whitelist, allowing only specific platforms and apps into the workplace. While that may work to an extent, assuming the security on those apps and SaaS platforms can be trusted, it’s not a very practical solution, because employees will use whatever apps they want on their personal devices.
A more practical and efficient solution to manage and secure the organizational SaaS frontier is to focus on identifying all apps used in the organization, including third- and fourth-party apps, and who is using them.
In order to succeed in this effort, organizations need to be able to reliably assess and prioritize all risks. The organization must also assess what information it is sharing externally, work to gain full governance of these shares so they don’t reach the wrong audiences.
And, of course, all this needs to take place without harming employee privacy; security solutions, after all, should work with employees, not against them.
Ideally, a platform like this should be able to achieve its goals in an automated fashion; both employees and the organization will benefit as it will create a seamless user experience.
A solid SaaS security solution must enable employees to be productive while allowing the organization to protect itself. This balance of serving both goals is the ultimate condition companies should strive to achieve as that is the best we can expect.
Oren Yunger is a Principal at GGV Capital, a global venture capital firm that invests in seed-to-growth stage investments across Consumer/New Retail, Social/Internet, Enterprise/Cloud and Smart Tech sectors.