Finding the Needles (Shadow IT) in the Haystack
Authored by Barak Kaufman
The explosion of SaaS continues and has become a major challenge for enterprise security teams. Organizations now store nearly all of their most sensitive corporate data in cloud applications.
Additionally, the use of shadow SaaS applications (hidden from IT) is a widespread issue. According to SailPoint’s research, most organizations have 3.5-4x more SaaS apps in use by employees than the IT & Security teams are aware of. Each one of these SaaS applications introduces new access risks into an organization and expands the attack surface.
There is a lot of talk about zero-trust environments, but we must ask a fundamental question: how can we secure what we cannot see?
The average enterprise, with at least 4,000 employees, has 1,265 applications in use (source). In addition to knowing what those applications are, you also need to understand:
- Who has access?
- Who should have access?
- How is that access being used?
- What permissions and data does each application access?
These are basic, yet incredibly challenging questions to get answered when you are trying to manage SaaS applications at scale. It is impossible to create or maintain a strong identity security strategy without this context.
That’s where SailPoint SaaS Management comes in to uncover and mitigate hidden access risks stemming from shadow IT. As part of our continued investment to help organizations deal with shadow IT and SaaS access risk, we’re launching three new features:
- Group Reporting 2.0
- Procurement Data Reporting
- Connected Applications 2.0
Group Reporting 2.0
When we originally developed our SaaS Management solution we had a view that SaaS reporting should be completely customizable as every client has their own reporting needs. Within the enterprise, this is even more true. An enterprise may want to run specific reports for an ongoing M&A project, consolidation exercise, geographic expansion, data privacy analysis, or risk mitigation strategy.
With Group Reporting 2.0, we’re enabling organizations to slice & dice their SaaS reporting by any attribute that is important to them. SaaS Management can automatically associate all SaaS identities with an organization’s identity attributes to analyze and answer tough questions like:
- Which of our departments are provisioned with the most Zoom Pro licenses, and are they being utilized?
- How many of our UK subsidiary employees have two-factor authentication set up in Microsoft Office 365?
- What are the redundant applications we can consolidate from our newly acquired entity?
Procurement Data Reporting
The role of SaaS Management is to aggregate and visualize all the SaaS application data within an enterprise. This includes SaaS spend data, which historically has come from integrations with a client’s ERP (Enterprise Resource Planning) system, expense management platform, and/or credit cards.
We have now added the ability to pull in data from procurement systems, starting with new connectors for Coupa and SAP Ariba.
Integrating with a procurement solution adds another powerful source of discovery and the ability to manage data more robustly in SaaS Management. It will help security leaders ensure only approved applications are being purchased and reduce Shadow IT. It will also provide context on renewal dates to enable more timely security exercises like validating access to applications.
Connected Applications 2.0
Increasingly every SaaS vendor’s application is a product, every product is a platform, and every platform has a marketplace. That means data is shared back and forth between core applications like Google, Microsoft, and Slack with a long tail of “add-on” applications that employees are integrating. Most of these applications are granted permissions from the core apps, and often security teams are not aware that they are entering their environment.
This presents massive security risks to an enterprise organization. For example, applications may download your data or act on behalf of users, and you may not have the visibility or insight to even know this is happening.
For example, Hey Taco is one of the most popular apps for Slack and Microsoft Teams. It allows employees to share virtual tacos with colleagues as a form of appreciation. What employees usually do not realize is that by adding the application, they are granting permissions to Hey Taco that include reading all the messages shared in private and public channels.
This enhancement to SaaS Management helps clients discover, analyze and report on the shadow permissions granted to 3rd party applications. This enhanced reporting allows you to dig deep into any application that has granted access and find the risks associated with the applications. You can answer tough questions like:
- Which unapproved applications have read and write access to my Office 365 instance?
- Which unapproved applications have high-risk access to my Slack instance?
Our goal is to help you find that needle in the haystack to prevent any identity risk through these connected applications.
Whether you already have a mature identity governance program in place, or you are just beginning to scale your security efforts, SaaS Management can deliver immediate value for your organization.
Click here to take a test drive and learn more about how SaaS Management can make your life easier and reduce risk in your organization.