Today, DoControl released the latest findings in what will be an annual data report on Software as a Service (SaaS) security risk. Our data analytics team coupled with an external third party consultancy aggregated the report findings based on a subset of companies for which an audit of SaaS data access control and exposure was performed. The findings were compiled from audits of a cross-section of companies ranging in size from medium-sized businesses to large enterprises.
The problem of SaaS application data overexposure becoming a problem at scale is revealed in this report. As a tool, SaaS applications help both streamline and drive business enablement. Modern businesses become more agile. Employees are empowered to get their work done in an efficient way. Communication and collaboration for hybrid and remote working has never been achieved more easily.
Organizations are able to go-to-market at a much faster rate. But like any piece of technology that becomes integrated into the stack, there's always some level of risk that becomes introduced. This report helps expose that risk so organizations can benchmark themselves against similar-sized businesses, as well as help prioritize the need to establish a SaaS data access security program.
The report quantifies the risk modern organizations are faced with, and categories five specific threat models for a comprehensive view of the SaaS threat landscape. The threat models highlight both human and machine identity access to business-critical applications and data; including insider threat, internal vs. external actors and access, third-party to fourth-party sharing, outdated permissions, and third-party OAuth applications.
Among the key data points in the report for large companies:
- Average of 2,775,000 SaaS activities per week involving nearly 55,750 SaaS assets
- Average of 1,773 SaaS assets per employee within the SaaS estate
- 5.5 million assets spread across business-critical SaaS applications on average
- 94,455 assets stored in SaaS applications are shared publicly
- 61% of companies have employees who have shared company-owned assets with their personal email
- 78% of large companies have encryption files stored in Google Drive/Workspace
- 241 4th-party domains (unapproved) on average have access to SaaS assets
- 67% of all companies have lingering access to assets that are more than 5 years old that are stored in Google Workplace
- Microsoft has an average of 743 third-party application integrations
- Google has an average of 81 third-party application integrations
Assess Your Risk, Then Build an Effective Mitigation Strategy
In the world of SaaS, security automation is not a ‘nice to have’ – it’s foundational. SaaS risk scales in-line with utilization. The more the company grows, the more applications (both sanctioned and sanctioned) enter the fold. Data becomes generated in high volume and is accessible to a wide range of different personas (i.e. internal employees, external collaborators, third party vendors, partners, customers, former employees – the list goes on). Every identity carries differing levels of risk. Understanding your risk exposure is the first place to start.
This report should ultimately serve as a starting point to assess organizational risk. We break down each business-critical application from the audit, and highlight the risk of each application which is driven by workflow execution. Taking a manual approach or relying on existing legacy technologies to address this problem is unrealistic. We provide IT and Security teams with the tools they need to help build the business case for a unified approach to securing their SaaS estate.
The Time to Get Started was Yesterday
Both security practitioners and leaders are tasked with managing risk. When you look across the technology stack the risk is wide ranging and hard to manage effectively. SaaS is no exception to this reality. We invite you to join us in our upcoming webinar where we will double click into this report, as well as highlight anonymized POV examples where we’ve exposed SaaS risk for industry-leading companies.