We are at a point where we can no longer afford to sit by and speculate what impact the adoption of SaaS apps will have on the enterprise. We need to recognise that employees are already using these applications on a daily basis, and oftentimes without the help, visibility or consent of IT.
While the benefits of using a SaaS delivery model for applications are many, one of the biggest value props of SaaS – no traditional deployment required – also creates one of its biggest challenges: security. This is particularly true when employees are using SaaS applications to share proprietary corporate data outside of IT’s purview.
In fact, SailPoint’s annual Market Pulse Survey of 1,000 employees at large organisations found that almost 20% of employees purchased a cloud application for work without involving their IT departments.
>See also: Is secure cloud the next step in the evolution of information security?
Highlighting the risks that cloud apps present, the survey also found that one in five employees openly admitted that they have uploaded proprietary corporate data to a SaaS app, like Dropbox or Google Docs, with the specific intent of sharing it outside of the company.
But perhaps the most alarming finding in the survey was that not only are employees sharing mission-critical data via SaaS applications, but 66% of employees were able to access those very same cloud storage applications after leaving their jobs.
Companies want employees to have access to business applications in order to maximise efficiency and productivity. However, this ‘bring your own app’ phenomenon, where employees are purchasing and using cloud apps without IT’s involvement, exposes companies to significant risks.
When corporate data that is typically kept under lock and key behind the firewall is suddenly being shared in cloud applications outside of IT’s purview, it creates a significant blind spot.
If IT doesn’t know about the application, how can they be responsible for knowing when to shut down that access? Even if business managers understand corporate policies, it’s not enough to “hope” they’ll pay attention to shutting down access to a SaaS application.
An example of this would be the use of Salesforce. It’s very common for a marketing or sales GM to purchase, deploy and manage an app like this. Certainly, IT eventually finds out about it, but often a marketing person owns the task of managing the access privileges to very sensitive data, and that person probably isn’t focused on deprovisioning access as soon as an employee leaves.
Leaving mission-critical data exposed like this can lead to a myriad of risks from the organisation’s own employees. By the very nature of the data and applications that employees need the ability to access on a daily basis to do their jobs, “insiders” can pose significant risk if their access is not managed properly.
Internal breaches can stem both intentional and unintentional actions from employees, contractors and partners, including brazen theft, accidental exposure and hackers using someone’s credentials. Any of these breaches could be sharing a list of customers’ personal information, exposing proprietary corporate data, or giving a customer list to a competitor. An insider attack could cost a company millions of dollars, in addition to a damaged reputation.
>See also: iCloud, Snapchat and Dropbox: Time to nip this cloud security debate in the bud?
The good news is that most of these same organisations already have good security and compliance programmes in place for what is housed on-premises. They just need to ensure they are bringing the SaaS environment into that strategy so that they know “who has access to what” at any time, anywhere and through what device.
An IAM strategy can facilitate access to cloud and web applications anytime, anywhere, via any device, while at the same time giving IT the control and visibility needed by today’s enterprises. IAM allows the organisation to automate the processes that organizations need to manage ‘who has access to what’ by implementing strong and consistent controls over user access to business critical applications and data.
Though, to truly have a holistic identity strategy, SaaS applications should and need to be managed in context with other enterprise assets, not as a siloed application space.
Sourced from Kevin Cunningham, president and founder of Sailpoint