The Vast Majority of SaaS of Apps Are Adopted And Managed By Individuals and Business Units, Not IT
82% of SaaS Apps are Adopted by Business Users - What Does It Mean for Security?
Zylo, a leader in SaaS Management Platforms, recently released their 2023 SaaS Management Index Report. In it, Zylo researchers provide data, trends and actionable insights from their database of SaaS spend, license and usage data. The most notable of these findings–a staggering 69% of SaaS spend and 82% of SaaS apps by number are adopted and managed by individuals or business units, not IT.
This is not surprising to the Valence Security team, as we typically find thousands of employee-owned applications and SaaS-to-SaaS integrations (and their associated misconfigurations) when we do our initial security assessments with our customers. These apps and integrations often fly under the security team’s radar, circumventing security review and ongoing management.
Given this decentralized state of SaaS adoption and management and the increased risks it poses, it ultimately makes sense to decentralize risk remediation as well. The two keys to this are automation and collaboration.
Automation is critical since most CISOs and their teams are stretched thin with their budgets and resources. They don’t just want visibility into their SaaS risks (yet another attack surface to worry about) without the ability to quickly remediate them in a way that doesn’t require additional personnel, time or skill sets.
Valence Security provides automated remediation workflows that can, depending on the security team’s processes, either fully or partially automate the remediation of risks based on easy-to-set policies. These risks can include misconfigurations, overly-privileged SaaS-to-SaaS integrations, ungoverned external data shares, and users who are unmanaged by the corporate identity provider or who don’t have security guardrails like MFA in place.
It is also important for security teams to be able to engage with business users to better understand the context in which those users are adopting and using SaaS applications and SaaS-to-SaaS integrations. This avoids a situation where security decisions are made without business user input, which can disrupt business continuity and the fast pace of SaaS adoption.
Valence security’s automated workflows enable security teams to collaborate with business users to identify and reduce risks. By simply asking users to either remediate risks themselves or provide the business context, the security team can understand the business case without disrupting the business. This creates opportunities for security teams to build a reputation as business enablers, not blockers. Educating business users on proper SaaS security hygiene best practices sets up both parties for success.
Zylo researchers also found that the total number of SaaS applications of all types is growing rapidly, with the average organization adding six apps to their portfolio every month. This suggests a highly dynamic SaaS environment. As new applications are added each month, the risk that comes with new SaaS-to-SaaS integrations, data shares, users, and potential misconfigurations, grows as well.
As a result, security teams need solutions that don’t just provide a snapshot of their organization’s SaaS risk posture and then be done with it, but need ones that provide continuous visibility into their ever changing SaaS ecosystem and continuous remediation of those risks, something that the Valence platform was designed to provide.
Finally, this rapid growth in organizations’ SaaS ecosystems also results in unused SaaS licenses that are costing each organization a staggering $17 million per year on average, according to researchers at Zylo.
When employees leave an organization, SaaS applications and integrations are often abandoned. Perhaps they have outlived their usefulness, or it didn’t occur to employees to offboard apps and integrations after an unsuccessful POV. This scenario adds to this unnecessary cost and expands the organization’s attack surface.
Valence enables security teams to quickly eliminate unused SaaS applications and integrations, reduce external data oversharing, adjust user privileges, or remove unused user accounts directly from the Valence UI, thereby saving money and reducing risk.