Being proactive is a good thing – until it isn’t.
It’s a problem faced by many organizations – how do you keep your users from buying SaaS applications for their departments without first getting IT approval?
Unfortunately, it seems like that is the nature of doing business. Employees are sometimes pushed to be “mavericks” and exploit workarounds to accomplish their goals faster, as evinced by the adage “It’s easier to ask forgiveness than permission.” And one way they do this is by adopting SaaS solutions that haven’t been fully vetted.
SaaS tools are designed to make it easy to immediately add functionality with a simple sign up. But when users and departments purchase subscriptions to SaaS applications without any IT oversight, it can lead to risks. And those risks go beyond simple budget busting.
Business leaders are aware of this. In fact, in a recent study, 78% of them cited SaaS security as a top concern. That includes the dangers of leaking sensitive information when staff query Generative AI tools like ChatGPT. And it also extends to SaaS applications that have added a layer of AI functionality to their products, one that might be scraping user data. This fact has led many organizations and government entities to ban the use of AI altogether.
And SaaS tools pose security risks beyond AI. For example, if the user of a SaaS product habitually reuses their passwords, and their system is subsequently hacked, it exposes other company systems to hacking. Likewise, if a user retains their credentials to a SaaS product after leaving the company.
And the liability may lie with the SaaS product itself, if it hasn’t been developed to comply with security best practices. Risks from the APIs used by SaaS products include object manipulation, injection, and DoS attacks, to name a few. There are also risks if the data in the application isn’t properly backed up. And if application data ends up housed on a server in another country, it can lead to compliance headaches.
Questions to ask a SaaS Vendor Before Purchasing a Solution
If your organization doesn’t already have them, now is the time to put in place guidelines for adopting SaaS tools. Some questions to ask a SaaS vendor:
- How is data encrypted, both in transit and at rest?
- What is your data retention policy?
- Do you share customer data with any third-party vendors or partners?
- Is customer data used for training an AI model and if so, how can you opt out of this?
- Do you require Multi-Factor Authentication (MFA) for user access?
- Is there Role Based Access Control in place?
- How often do you perform (and test) backups?
- What is your incident response plan in case of a data breach?
- How often do you conduct security assessments?
This may look like a lot of red tape to get through just to use a SaaS tool – but it’s necessary. In his book Good to Great: Why Some Companies Make the Leap… and Others Don’t, Jim Collins wrote “The purpose of bureaucracy is to compensate for incompetence and lack of discipline.” Dedicated oversight of SaaS products is one example of something that looks like bureaucracy, but actually serves an important purpose.
Tools to Mitigate Against SaaS Security Threats
Cybersecurity experts at InterDev have the skills and tools to help guard your organization against attacks coming from SaaS products. One such tool is Cisco Umbrella, which produces an App Discovery report that identifies SaaS applications in use in your organization. Umbrella provides insight into the vendor, category, and activity for every app, informing you of the risks and enabling your team to block specific apps.
Talk to one of our experts to learn how InterDev can help secure your organization against cyber threats.
