Preventing Security Risks by Controlling SaaS Sprawl

Originally published by Axonius here.

Written by Kathleen Ohlson, Axonius.

The rapid growth of SaaS adoption continues. The necessity of SaaS applications for productivity and collaboration moved organizations to onboard them as fast as they could.

But now these organizations have this sprawl of SaaS applications and a host of problems: where these apps are located, which team is responsible for onboarding them, how to ensure compliance, and identifying security risks that expose sensitive data.

AJ Yawn, CEO of ByteChek, joined Chris Cochran and Ron Eddings, creative directors at Axonius, for a webinar to discuss all things with SaaS applications — the connection between apps, compliance, and security teams, plus ways to uncover and mitigate risk, maximizing the value of your security program.

Let’s take a look at some of the highlights.

Chris Cochran: What is the current environment today?

AJ Yawn: A lot of folks talked about how COVID-19 was a digital transformation. It forced a lot of companies to adopt SaaS. And I think with that speed to adopting all of these applications, now everybody's taking a step back and saying, “I don't think I know what's going on. I don't think I understand all of the risks that are out there because I've extended my footprint so much.” One of the things that I find very often is that a lot of companies have SaaS apps that they're not using.

And they're just sitting there and they're just a wide open door for a threat actor to come in and do something bad. There's a lot of SaaS sprawl in companies, a lot of different tools out there that CISOs, especially new CISOs coming in, are trying to wrap their head around. What are all these tools we have? Why do we have them? What are we using them for? What are the risks that are associated with them? And I think it's a good spot to be in. We have a lot of people caring about this stuff and hopefully we can reduce that surface area for potential attacks.

Ron Eddings: What is that instruction that you give organizations when looking at things like shadow users and making sure there's no excessive users or permissions?

AJ: I think one of the things that we see in every single compliance framework, whether you're talking SOC 2, ISO, FedRAMP, and PCI, is you got to do access reviews. And those have become check-the-box exercises, if we're being honest. … So instead of us doing access reviews, let me really look at this user here. They haven't logged in six months. Do they still need access to this tool? Or is it just because they've always had access? And then on the flip side to that, if you don't have that central identity source, you got to really make sure there is a constant evaluation of what tools exist. And then in that offboarding process, make sure that those tools are being hit.

Ron: What is your technique or advice for discovering SaaS applications?

AJ: Find technology to help you identify some of this sprawl. And then even before that, get security involved in that early process so that if there's a red flag, if there's something that we have to do, then let us do it. And a lot of that comes down to not necessarily a human being saying, ‘I want you to send me an email every time you want to download a new SaaS app.’ It's a process, it's making it a little bit more seamless for the individuals to provide details to the security professional. … So that if something happens, if some app is breached or has an issue that impacts you, now we have the details to know.

Chris: There's a lot of applications that are running and they're not free. How does someone keep track of their spend?

AJ: I think that's one of the best innovations that I've started to see in this space. There's a lot of fear, uncertainty and doubt with security, but I promise you executives understand math and they understand numbers. If you're like, “Hey, we are spending X amount of dollars on this tool, no one uses it. Or we're spending X amount of dollars on this tool and it also has this type of risk. And I need to make sure that we're protecting it because obviously we care about this. We're spending thousands of dollars on it, so I know you all care about it. So I need some more money to make sure that I'm doing my part to protect it.” And I think if you think about the financial impact of anything from a security perspective, especially in the SaaS space, it makes the conversations go a lot easier.