The Software-as-a-Service (SaaS) market is currently growing by an estimated 18% each year, and reliance on SaaS apps is increasing rapidly. In 2017, the average number of SaaS tools used by organizations worldwide was just 16, but it had jumped to 80 in 2020 – growth that was undoubtedly driven by the pandemic and the accompanying rise in home and remote working. In 2021, the average number of SaaS apps per business was 110.
Choosing SaaS applications over traditional software options has many benefits for businesses, the first of which is affordability. Using SaaS apps turns what could be a large capital expense into a smaller, more manageable operating expense. You save time on installation and configuration, and bug fixes and updates can be applied to SaaS apps as and when they become available. There is also the benefit of easy access as you can log into your SaaS platform from almost anywhere in the world with an internet connection.
However, there is a price to pay for the convenience offered by SaaS apps: because of the Shared Responsibility Model used by most SaaS providers, it’s the user who’s responsible for the safety and security of the data they store on each application, not the providers themselves.
This becomes more complex when we consider that SaaS platforms can merge with other businesses, change direction or disappear completely – taking your data with them, and making your business vulnerable to cyber threats. It’s vital that you know exactly what data you have on each SaaS platform, and that you have protection in place for all your SaaS-based data.
‘Ghost SaaS’ and ‘shadow SaaS’ – how do they threaten your data?
What is ‘ghost SaaS’?
When SaaS providers merge with other businesses, change the service they offer, or cease to operate completely, the problem of ‘ghost SaaS’ is created – and this generates a security risk for users’ data. A SaaS service may no longer exist but its domain might still be active, and if that domain is acquired by a new owner, any data on the now-defunct platform is exposed, leaving organizations vulnerable.
What is ‘shadow SaaS’?
Shadow SaaS refers to the use of apps that have not been approved by an organization’s IT team. It’s usually driven by employees trying to be more efficient and productive – if none of the existing tools do what employees need them to do, it’s very easy to go online and find a SaaS service to help. For example, if a project management tool is needed, there’s Trello or Asana. Often, you only need a credit card in order to start using a SaaS app – and sometimes, not even that.
To further compound the problem of ghost SaaS, there is a persistent belief that services from leading SaaS providers like Microsoft will be safe and secure, but this isn’t always true – and in any case, we should never assume services are safe without checking carefully first. In simple terms, the problem caused by ‘ghost SaaS’ is this: if you don’t know what tools and services your staff are using, you don’t know where you have sensitive data that needs to be backed up and secured.
How to secure your SaaS apps
- Complete a SaaS audit. Review and list all the SaaS applications used by your organization and check whether they’ve changed their ownership or services. If you have doubts about the security of any apps, stop using them, remove your data, and find a different, secure replacement service. When completing your audit, you’ll need to communicate with employees to find out what tools and services they are currently using and what they need in order to work efficiently.
- Enhance your existing SaaS security. Consider using a SaaS Security Posture Management (SSPM) tool to automate the protection of your systems and networks. SSPM tools detect issues like SaaS app misconfigurations, unused accounts, unnecessary user rights and other security issues.
- Educate your employees. One of the best ways to protect the data you have on SaaS apps is to provide IT security training and to educate your employees about the risks of using unapproved apps and services.
- Implement ‘least privilege’ access and 2-factor authentication (2FA) across all apps. Each user of an app or SaaS service should only have the minimum necessary entitlements – in other words, they should only have access to do what they need to do to complete their own work. 2FA makes app usage more secure as it requires two different pieces of information from a user in order to sign them into an app, e.g., a password and a fingerprint.
- Put external backup in place. If you don’t already have a backup service provided by a third party, you should implement this as a matter of urgency. Choose a provider like us that will back up your SaaS data and encrypt it at rest with the highest-grade protection. External backup protects your SaaS data and ensures you can still access what you need with minimal interruption to your business, even if a SaaS platform you’re using ceases to function.
For help and support with securing your SaaS apps or to arrange a free 7-day trial, contact us today. We’ll take care of your data while you take care of the rest of your business.