The Rise of SaaS-App Risk and What to Do about It
It's no secret that the use of SaaS applications has exploded over the last several years. Vendr reports that SaaS-app adoption increased 18% last year. Productiv, meanwhile, recently found that organizations use an average of 315 SaaS apps, with individual teams using between 50 and 70 each.
All of this is to say that SaaS apps are everywhere, being used by teams whether they have been sanctioned to do so or not.
But like any technology, SaaS apps (including browser extensions) pose real threats to users and organizations—and they have long been the target of attackers. From phishing to ransomware to insider threats, the past year has seen several SaaS-based attacks. It is crucial, therefore, that security and IT professionals understand the risks that SaaS applications present.
Measuring SaaS Risk
To help better understand those risks, I worked with our research team to release Spin.AI's 2023 SaaS Application Risk Report, analyzing anonymized data from more than 750 customers.
To find a lot of their SaaS-app risk, organizations might start with Google Workspace and Microsoft 365. Spin.AI's analysis shows that 76% of SaaS applications pose a high or medium risk to data that's stored in either of those two environments. When we dive into this data deeper, we see that 35% of apps with OAuth permissions to Google Workspace and 24% with OAuth permissions to Microsoft 365 are high-risk.
What contributes to this high risk? Several factors. Some enterprises struggle to inventory, assess, and control SaaS-app sprawl. Others face OAuth abuse that allows malicious applications to impersonate legitimate ones. And others still may incorrectly assume tools like Microsoft Defender assess all application risk, leaving gaps.
Exacerbating the risk, many SaaS apps have high levels of access. For instance, more than 43% have access to read, compose, send, and permanently delete all user emails from Gmail. Nearly 46% have access to see, edit, create, and delete all user Google Drive files. A likely cause is that many SaaS apps are granted high-level permissions to manage and extend these popular Google Workspace applications.
The reality is that organizations have poor visibility and control over the applications being installed in their environment. SaaS-app extensions and plugins are often installed by users—and require extensive permissions. Our findings showed that 56% of high-risk applications have extensive permissions. Additionally, nearly 39% of them receive poor marketplace reviews.
The First Big Question
This data shows that the risk is real. But how can organizations work to reduce the threat of attack via SaaS apps?
I'm not going to dive into products. Instead, I'm going to leave you with some essential questions you should be asking yourself and your team—and that you and your team should be able to answer.
First: Do you know what SaaS apps are installed? If you don't, this is step one. Do a comprehensive application and extension inventory (and maintain it). You can't protect what you can't see.
To this end, consider using tools that offer SaaS security-posture management (SSPM) to maintain an application inventory and align with risk-management policies. SSPM tools offer insight into the SaaS environment and identify actions within it (such as OAuth transactions) so that they can inventory applications and make automated access-management policies at the time access is granted.
Follow-up Questions on SaaS Risk Assessment
Once you have the answer to this question, start investigating and understanding the operations, security, privacy, and compliance risks that each of these apps present. Find the answers to the following questions:
- What specific data do these applications have access to?
- What risks are posed by these applications integrating with your SaaS environment?
- What is the scope and scale of high-risk applications within the environment (for instance, how many users at what privilege are on high-risk apps)?
It's important to identify what data will be processed, stored, or transmitted through these applications—and the risk that that all presents.
For instance, due to the likelihood of sensitive and proprietary data existing within critical SaaS applications, it is imperative to consider third-party access. Exposure of this information to third-party applications that can read, write, delete, or have other functions over sensitive data may impact the confidentiality, integrity, and availability of those assets and data. This presents both security and compliance risks.
Doing ongoing assessments is crucial to understanding how apps have either become more vulnerable or hardened. Admittedly, this can be daunting. We know that teams are assessing risks from SaaS apps, but for most this is a manual process that takes, on average, up to two weeks. That's a long time.
Automation can help as you move forward with this process. An automated risk assessment will help you evaluate security, compliance, privacy, and operational risks associated with your SaaS applications. This assessment should be performed both when granting access to an application and on an ongoing basis to account for any changes in risk factors.
Finally, to maintain control and mitigate risks effectively, you should establish policies based on your third-party risk-management frameworks—and enable them to automate real-time decision-making processes. These policies should be attributable to SaaS-application factors, considering their dynamic nature, operational use, and risks, along with the needs of the business.
The SaaS-app and extension landscape is constantly changing and growing. Between poorly built apps, shadow IT, configuration complexity, and more, properly managing the risk can feel overwhelming. Hopefully, asking and answering these questions will help you on your quest to better secure your environment.