What the Businesses at Work Report Means for Your SaaS Security Program

This blog was originally published on February 22, 2022 by DoControl.

Written by Corey O'Connor, DoControl.

Earlier this month, Identity and access management platform leader Okta published their 8th annual “Businesses at Work” report. The report pulls data from their more than 14,000 global customers and the Okta Integration Network, which includes over 7,000 integrations with cloud, mobile, and web apps, as well as IT infrastructure providers.

Businesses at Work highlights the most popular, fastest growing applications across the three main global theaters, as well as noteworthy topics for the year such as the rise in multi-cloud, zero trust maturity, and more. This year’s report picks up after organizations around the world turned the corner on the global pandemic. Right in the opening paragraph there’s a mention of organizations initially adopting “solutions that had been temporary stopgap measures during a time of crisis, later becoming long-term solutions that fueled better workplace collaboration, clearer communication, and stronger security for teams around the world.”

Breaking down this one simple sentence there are two interesting points to mull over. The first is the part on ‘fueling better workplace collaboration.’ When you dig into the report, enabling the business through better collaboration is substantiated by several high growth statistics in this category. The pandemic was a big influence in the continued trend in the adoption and utilization of SaaS tools to enable collaboration for the workforce. The second point is the acknowledgement that these stop-gap measures are now longer-term solutions, which we will cover later in this blog.

Content Collaboration Reigns Supreme

Content collaboration is and has been the most popular application category covered in the report since 2015. The top three most popular applications were Microsoft 365, Amazon Web Services (AWS) and Google Workspace (Google experienced a 38% year-over-year growth). This comes as a surprise to no one. The collection of cloud computing, productivity and collaboration tools are foundational to the technology-driven initiatives that allow for increased productivity across the workforce. These applications and services were the low hanging fruit to support remote work.

Industry analyst firm Gartner recently predicted that more than half of enterprise IT spending in key market segments will shift to the cloud by 2025. “The shift to the cloud has only accelerated over the past two years due to COVID-19, as organizations responded to a new business and social dynamic,” said Michael Warrilow, research vice president at Gartner.”

Every ‘as a Service’ solution in the market experienced increased adoption over the last couple of years. From a security perspective, the use of cloud technology dictates that security be a joint responsibility between the service provider and the cloud adopting entity. Most organization’s leveraging Infrastructure as a Service understand this and likely have incorporated additional security measures to their cloud instances, but this shared responsibility is often overlooked when it comes to Software as a Service (SaaS) applications. Controlling the access to sensitive files and data that are collaborated on by internal and external entities is critical when you consider the significant spike in utilization which has been proved out by this report.

Post-pandemic Technology Trends

The days of partnering with a single vendor are starting to fade. There’s been a notable increase in the adoption of multiple best-of-breed applications that provide the same exact functionality. The percentage of Microsoft 365 customers: 45% also use Zoom, 38% also use Google Workspace, and 33% also use Slack. Similarly with multi-cloud adoption, organizations are shifting to adopt overlapping solutions and technologies to enable their business.

Zero Trust initiatives are also increasing. A recent survey of their 600 global business and security leaders revealed that in 2020, 41% of organizations said they were working on a Zero Trust initiative or intended to start one in the near future. In 2021, that number spiked to 90%. This also comes as no surprise. The pandemic pushed the shift to Zero Trust security models in a hasty way. The report highlights statistics around user, network and device context – but does not touch on securing the actual data.

‘A Zero Trust approach’ as defined by Okta in the report: “A Zero Trust approach takes the position that the only way to truly protect data is to treat all user traffic as untrusted.” Extending Zero Trust to the SaaS application data layer is a requirement if the aim is to ‘truly protect data.’ Security needs to be applied closer to the application data layer – beyond the user, network, and device levels. Introducing granular data access controls and risk-based policies allows for a more complete zero trust architecture, through deeper levels of security across the SaaS applications that drive the business forward.

The Permanence of Stop-Gap Measures

Let’s get back to stop-gap measures becoming longer-term solutions. The initial changes made to enable remote work are now here to stay. Sure, organizations need to enable their workforce to grow their business, but they need to ensure it's achieved in a secure manner. Business continuity is the main value driver for security in this landscape. The report shows the average number of applications deployed by larger organizations (2,000 employees or more) coming in at a staggering 187.

This becomes a scalable problem when you consider the number of users (i.e. internal employees and external collaborators) that are accessing, manipulating and sharing the sensitive data within each individual application (now multiple that out by 187 apps). Add to this the increase in multi-vendor adoption for SaaS, and the sheer number of disparate applications that exist within the estate. This introduces a decentralized security model that is siloed, complex, and increases the risk of data overexposure and exfiltration.

Teasing out some of what’s reflected in Okta’s report only highlights the importance of centralizing the security of SaaS applications. The increased reliance on content collaboration apps requires increased security around them. The use of multi-vendor solutions that overlap require a consistent security strategy that scales in line with the growth and usage of these applications. If stop-gap measures are becoming longer term, then it's critical for organizations to reevaluate their security posture and ensure they have the necessary data access controls in place.