Modern software tools are typically software-as-a-service (“SaaS”) applications hosted and delivered to clients over the internet by a cloud provider. End users do not need to install these applications locally on their devices. Instead, they can access the software through a web browser or program interface. The list of well-known SaaS applications is endless and includes the likes of Microsoft Teams, Slack, Workday, Google Workspace, and many more. But with this, comes risk, so what are the most common SaaS applications security risks?
During the pandemic and the consequent shift to remote work, collaboration tools became the backbone of corporate communication and productivity, enabling employees to converse and work with their co-workers easily and quickly without the formality of e-mail and attachment sharing. Most businesses have been using SaaS applications for a while (including some unauthorised SaaS apps, commonly referred to as ‘Shadow IT’), but the pandemic accelerated the shift towards SaaS collaboration and communication tools in particular.
Beyond just being a tool for collaboration, some SaaS applications are incredibly powerful and complex. Take Microsoft 365, which offers a suite of tools for the modern workplace. Likewise, some SaaS applications, like Salesforce, have grown from applications to platforms on which organisations can develop their own applications. Some SaaS applications are even low code/no-code development tools that support less technical people in app development.
While SaaS applications like M365 can be relatively easy to set up (which obviously aids the sale and adoption process), they can be difficult to securely configure for non-security specialists. This is because there are lots of security settings to consider, and vendors regularly make changes. In line with this, Gartner’s cloud division predicts that, by 2025, 99% of cloud security failures will be the customer’s fault.
Even as organisations pivot to hybrid working models and return to the office, SaaS adoption shows no sign of slowing. These applications are now embedded into employees’ daily workflows. For businesses, too, SaaS applications offer many benefits, including scalability, ease of deployment and low operational costs.
SaaS applications and sensitive data
SaaS applications now permeate all departments: HR, marketing, finance, sales and so on. By 2026, Gartner predicts public cloud spending will exceed 45% of all enterprise IT spending, up from less than 17% in 2021.
As SaaS applications become more engrained into business operations, they are increasingly being used to store, process, and transmit commercially sensitive information and personal data. Such data is typically subject to legal, regulatory or contractual security obligations. At the very least, a data breach is likely to be embarrassing for and affect the reputation of the victim organisation. At the same time, such data is obviously desirable to attackers.
In using SaaS applications, organisations are pushing data outside the boundaries of the traditional network perimeter. This creates challenges for IT teams around visibility, control and security. Sensitive data is being stored in multiple clouds that different vendors own. This data is also being uploaded and downloaded to numerous devices outside the corporate walls. It’s no surprise, then, that Forrester SaaS research found that the primary SaaS concerns for IT professionals are data security and protection against cybercrime.
Common security challenges of SaaS applications
The flexibility and agility of SaaS are what makes it so appealing. These applications are great for boosting employee productivity, autonomy and efficiency. However, these functionalities also render SaaS applications – and the data they store – more challenging to secure.
To effectively safeguard data in SaaS applications, organisations must first understand the most common security risks. Here are the top security challenges relating to SaaS applications.
In the SaaS model, the cloud provider deploys, configures and maintains the underlying cloud infrastructure that supports the application, such as the network, servers, operating systems, storage and capabilities. This is not to say, though, that the client has no responsibilities for security.
The cloud operates under what’s known as a ‘shared responsibility model’. With SaaS applications, the service provider is responsible for securing the cloud infrastructure, while the customer is responsible for data security and identity management within the application itself. Note that the customer’s responsibilities increase with PaaS and increase further with IaaS. This is because PaaS and IaaS can be used by customers in many ways and thus provide greater flexibility to customers to set them up as required.
SaaS apps’ out-of-the-box security settings usually favour functionality over security. This means that users may have user privileges that go above and beyond what they need to perform their roles, giving them access to files, data and commands which they don’t require. While this is a data security risk, threats also arise when businesses poorly customise and configure their applications.
Most cloud service providers offer optional security settings that the customer must configure and deploy. For example, Microsoft, Amazon and Google provide for multi-factor authentication, but it is not set up automatically. Other configuration options centre around permissions and identity and access management – in other words: who has access to corporate data.
Moreover, the cloud’s tiered pricing model often means that certain security features – for example, single sign-on, advanced logging and analytics and even multi-factor authentication – are sometimes reserved for enterprise customers; those that pay for many seats. In essence, this means security is a premium that organisations must pay for.
The past few years have demonstrated that organisations struggle to configure their SaaS applications securely. Data breaches such as the Capital One breach and recent Twitch breach both arose from misconfigured cloud applications.
Misconfigurations are accidental; it takes one wrong click of a button or one rushed employee to unintentionally leave data exposed to the broader internet. Moreover, research by Oracle indicates that two-thirds of organisations find the cloud responsibility model for SaaS perplexing.
A recent analysis of SaaS usage in the enterprise shows that the average company uses over 254 SaaS apps. All SaaS applications have their own security requirements, controls and customisation options – all of which need to be configured correctly to meet compliance requirements and ensure data security.
For IT personnel, configuring these applications manually is often overwhelming – especially as each application will require specialist vendor knowledge. In fact, Gartner’s research estimates that 70% of companies will lack the relevant IT skills and tools to support SaaS-enabled transformation in the next two years.
Of course, this complexity hinders innovation, but it also endangers security. Without the right expertise to secure cloud applications, combined with the high risk of misconfigurations, organisations put themselves at risk of data leakage or even data theft.
As referred to earlier, shadow IT is the use of software, devices, services and applications without the knowledge of the IT department. Because SaaS applications are so easy to deploy, they are a potential cause of shadow IT. 80% of workers admit to using SaaS applications at work without getting approval from the IT department, according to McAfee security research.
Executives and employees often feel empowered to download these applications for individual business use cases. They won’t feel the need to involve the IT department in deploying the application, as the process is straightforward.
From a security perspective, these unsanctioned applications create a significant level of risk. Without visibility into where data resides, how it is being used and who it is being used by, organisations cannot ensure their data is secure. Moreover, the employees who download and use these unsanctioned applications are likely not well-versed in security, increasing the risk of accidental data leakage.
Access control issues
Businesses and the applications they use change by the week – if not the day. SaaS companies regularly push out updates that alter their applications’ functionality and capabilities, which can, in turn, impact pre-configured security settings. At the same time, the structure of organisations is in a constant state of flux too: employees come and go, and people within the business change roles, which changes their access privileges.
In this sense, the average organisation is a kinetic machine: dynamic and ever-changing. This means that, naturally, security must evolve and adapt to the business too. However, for overburdened IT personnel, keeping up with the pace of change can be difficult. Manually managing hundreds of applications and their access privileges as they change by the week is near-impossible, leaving security gaps in the average company SaaS environment.
How to secure SaaS applications
Organisations must acknowledge their responsibility to securely configure the cloud services they use and ensure that personal data is only shared with those it is meant to be.
We recommend that organisations begin by reviewing the NCSC’s SaaS security collection to improve SaaS security. This collection contains essential principles for SaaS security, which organisations can use to better evaluate the security of multiple SaaS offerings.
Other sources of best practice include NIST’s guidelines on security and privacy in cloud computing, NIST’s general access control guidance for cloud systems and NIST’s cloud computing standards roadmap. These resources offer insightful advice on the nature of the cloud’s shared responsibility model and the risks that companies must proactively mitigate.
If you need help or advice on managing your business’ cloud security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check that your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat.