SaaS Sprawl: Expanded Attack Surface Research

February 15, 2024

Research Fellow: Mark Piffl

Assessing the Impact of SaaS Sprawl on Organizational Cost Efficiency and Data Security: A Comprehensive Analysis

Abstract

Research Fellow and Cybersecurity author Mark Piffl conducted a study examining the phenomenon of "SaaS Sprawl" and its implications for organizational security and cost-efficiency. With the increasing reliance on Software as a Service (SaaS) applications in corporate environments, this research highlights the challenges in tracking and managing these applications. Mr. Piffl’s research study quantifies the extent of SaaS proliferation and assess its impact on data security and financial overhead.

Introduction

The advent of SaaS has revolutionized the way organizations operate, offering numerous applications that streamline daily business operations. However, this ease of adoption has led to a lack of oversight in managing these applications, commonly referred to as "SaaS Sprawl." This research discusses the need for effective SaaS discovery and management within organizations to enhance security and optimize costs.

Methodology

The study employs a mixed-method approach, combining quantitative data analysis with qualitative assessments. Data was gathered from various industry reports and surveys, focusing on the number of SaaS applications in use, their management, and the associated security and financial implications.

Results

Key Findings:

1. A significant underestimation by IT leaders of the number of SaaS applications in use, often by a factor of two or three.
2. The average business utilizes approximately 80 IT-sanctioned SaaS apps, a fivefold increase over three years.
3. The prevalence of 'Shadow IT', where SaaS applications are adopted without IT approval, accounting for 65% of SaaS usage in 2022.
4. The issue of unused SaaS licenses, with an estimated 55% going un-utilized.
5. Financial inefficiencies due to redundant applications, with approximately a third of SaaS spending being potentially wasteful.
6. Large discrepancies between perceived and actual SaaS connections within organizational networks.
7. Data security risks, with an influx of new SaaS applications monthly and a high percentage of security breaches involving cloud-stored data.

Research Discussion

The study addresses the implications of the key findings above, emphasizing the risks associated with unmanaged SaaS adoption. It highlights the importance of comprehensive SaaS tracking for maintaining organizational security and reducing unnecessary expenditures. The research also addresses the challenges organizations face in achieving this, such as decentralized SaaS adoption approvals and the complexity of mapping SaaS connections. Here we list the results of the analysis:

1. Implications of the Findings:
• Underestimation of SaaS Usage: Organizations often significantly underestimate the number of SaaS applications in use, leading to a lack of effective oversight.
• Financial Overheads: The proliferation of SaaS applications without proper management results in increased and often unnecessary expenses, including costs associated with unused or redundant applications.
• Security Vulnerabilities: Unmonitored SaaS applications can introduce security risks, as unapproved apps may not comply with organizational security policies.
2. Associated Risks of Unmanaged SaaS Adoption:
• Shadow IT: The prevalence of Shadow IT, where employees use SaaS applications without IT approval, leading to a lack of visibility and control over data security.
• Data Breach Susceptibility: Increased risk of data breaches due to the expanding attack surface with each new, unmonitored SaaS application.
• Compliance Issues: Difficulty in maintaining compliance with data protection and privacy regulations due to decentralized SaaS management.
3. Specific Challenges Organizations Face in SaaS Tracking:
• Decentralized Approval Processes: Difficulty in tracking due to varied approval processes across different departments.
• Rapid Adoption Rate: The high rate of SaaS adoption and turnover presents a challenge in keeping the inventory up-to-date.
• Complex Connectivity: Understanding the complex web of connections between SaaS applications and organizational assets can be challenging.
4. Methods to Improve SaaS Tracking:
• Centralized SaaS Inventory: Establishing a centralized inventory of all SaaS applications, both sanctioned and unsanctioned, to gain a comprehensive overview.
• Regular Audits: Conducting regular audits to identify unused or redundant applications for potential cost savings.
• Integration Mapping: Mapping how each SaaS application is connected within the organization to understand data flow and interdependencies.

Tools:

1. SaaS Lifecycle Management - Technology options to manage the entire lifecycle of SaaS applications, including discovery, optimization, compliance, and efficient management of user access and licensing:
• Torii: Torii provides a SaaS management platform designed to streamline SaaS operations, optimize software spend, and ensure compliance. Their solutions focus on discovering and managing SaaS applications across an organization, providing insights into usage, spend, and risk. Torii's platform offers features such as automated discovery of SaaS apps, license management, and workflow automation to help organizations effectively control and optimize their SaaS environments.
• Zylo: Known for its AI-powered engine, Zylo provides a comprehensive view of an organization's SaaS portfolio, helping to assess software utilization and productivity. It focuses on optimizing and anticipating future SaaS needs.
• BetterCloud: This platform automates user lifecycle processes and daily operations in multi-SaaS environments, streamlining onboarding and offboarding processes and integrating with various data sources for productivity enhancement.
• AvePoint: Specializing in digital workplace experiences, AvePoint offers solutions to simplify the management, control, and protection of multi-SaaS applications and data, enhancing operational efficiency and security.
• Cledara: Cledara offers a centralized management system for all software subscriptions, providing real-time reporting and analytics, which assists in identifying potential savings and making future budget projections.
• Zluri: Zluri is a data-driven SaaS management platform that excels in app discovery, management, optimization, and compliance. It aids in optimizing spend by identifying duplicate apps, highlighting underused tools, and consolidating apps with overlapping functions. Zluri also automates many IT tasks, enhancing security and managing compliance risks.
2. SaaS Security Posture Management (SSPM) - Technology options for automating SaaS tracking and vulnerability management:
• Valence Security: Valence Security specializes in SaaS risk management and remediation. Valence provides a platform that focuses on aspects like SaaS configuration management, identity security, integration governance, and data protection. Services are designed to help businesses manage the security risks associated with SaaS applications effectively.
• Wing Security: Wing Security offers a comprehensive approach to SaaS security, providing tools for risk management, app-to-app connection shutdown, and user-related risk uncovering. Wing also focuses on managing tokens, permissions, and data exposure, ensuring a secure SaaS environment.
• Adaptive Shield: Adaptive Shield offers a detailed checklist for SaaS Security Posture Management (SSPM). They focus on the ease of deploying and adopting SaaS apps, and their SSPM solutions are designed to address the risks and complexities associated with these processes.
• Obsidian Security: Obsidian Security specializes in providing advanced cybersecurity solutions focused on protecting SaaS applications and cloud environments. Their offerings include continuous monitoring, threat detection, and compliance management, ensuring a robust security posture across multiple cloud platforms and applications.
• Microsoft: Microsoft provides comprehensive solutions for SaaS security, focusing on managing the challenges posed by SaaS sprawl and cloud misconfigurations. Their offerings include robust access control mechanisms, data loss prevention, and advanced threat protection features, integral for ensuring the security of SaaS applications.

Conclusion

Effective management of SaaS applications is crucial for both cybersecurity and financial stability within organizations. This research concludes by suggesting steps for organizations to assess their SaaS landscape, including identifying the number and usage of SaaS applications, understanding license renewal terms, and mapping their connections across the organization. The research also provides a list of security technology vendors that can help automate the discovery, management, and vulnerability assessment process. The potential benefits of such assessments include improved security postures and significant cost savings.

References / Sources

1. Gartner. (2023). "Forecast Analysis: SaaS Market Growth and Trends."
2. Zylo. (2023). “SaaS Management Index Report” & "SaaS Discovery Drives Visibility and Insights into Your Portfolio"
3. BetterCloud. (2021). “79 SaaS Statistics in 2021 That Will Change the Way You Think About SaaS Management.”
4. BetterCloud. (2023). “State of SaaSOPs.”
5. Productiv. (2023). “SAM vs SMP: Why a Software Asset Management Tool Is Insufficient for SaaS Management.”
6. Torii. (2022). "Understanding the Hidden Costs of SaaS."