SaaS Ecosystem Complexity Ratcheting Up Risk of Insider Threats

Even with common security platforms like CASBs, organizations struggle to deal with the volume of apps and accounts that interact with business-critical data.

Dark Reading logo in a gray background | Dark Reading

The pressure of increasing software-as-a-service (SaaS) deployments in the enterprise and the complexity of administering accounts across a varied cloud environment is ratcheting up the risk of insider threats. A new study out this week shows IT and cybersecurity professionals are struggling to stem the tide of negligent and malicious insider incidents in this era of pervasive cloud sharing, even when they use common security tools like cloud access security brokers (CASBs).

And while maintaining privacy of customers' personally identifiable information still remains a concern, the greater bulk of cloud-based insider risk revolves around business-critical data. So says the "2019 State of Insider Threats in the Digital Workplace" report, released Wednesday by BetterCloud, which shows almost half of IT leaders believe the rise of SaaS makes them most vulnerable to insider threats today. 

Based on a survey of approximately 500 IT and cybersecurity professionals, along with internal security data at more than 2,000 organizations, the report finds 92% of organizations with more than a quarter of their mission-critical apps in the cloud feel vulnerable to insider threats. Of those SaaS vectors that open them up to insider issues, respondents overwhelmingly name cloud storage and email as the biggest challenges — 75% report these to be the breeding ground of the biggest insider threat risks.

Some of the biggest challenges organizations face when it comes to securing data and applications in SaaS ecosystem is the sheer volume and dynamic nature of applications and account connections in play. Another recent report, the "2019 Annual SaaS Trends Report," by Blissfully, examines SaaS trends across nearly 1,000 companies and finds overall SaaS spending increased by 78% last year.  

At this point, companies now spend more on SaaS than they do on equipping employees with laptops. But, unlike laptops, SaaS vendors can be switched out with very little friction, which means the makeup of any given company's SaaS stack is always in flux. The typical midsize company has seen 39% of its SaaS stack change in the last year, according to the SaaS report. What's more, for every new SaaS app added or changed in an organization's ecosystem, the headache around managing account connections multiplies.

Take the typical organization with 200 to 501 employees. This kind of company uses an average of 123 SaaS apps, according to Blissfully. It sounds manageable, but across those the typical company of that size must keep tabs on an average of 2,700 app-to-person connections. That doesn't even account for the app-to-app connections that start to come into play when SaaS apps are integrated through APIs. 

This pervasiveness and complexity is why so many larger organizations still struggle so mightily to take control over how users interact with and share data in SaaS apps today. After all, SaaS security is hardly a new topic — security strategists have been warning about data security in SaaS for a decade now. While the rise of the CASB has helped many organizations mitigate a lot of their SaaS security risks compared with the early days, this latest insider threat report shows 95% of stakeholders at companies that use a CASB still feel vulnerable to insider threats. The reasons cited for why include the escalating freedom of SaaS users that enable unchecked decentralization of SaaS, blind spots in SaaS security created by new interactions between apps, and the growing complexity of managing configurations and file permissions.  

Plus, whereas in the past cloud and SaaS security was usually a compliance or regulatory concern, BetterCloud's insider threat report shows that 57% of organizations say insider cloud risks are highest around data fundamental to the existential viability of the business. This includes confidential business information and intellectual property. 

According to other recent reports, the pressure is only going to increase. Last month a joint report from Oracle and KPMG found almost half of IT and cybersecurity professionals expect to store the majority of their data in the cloud by 2020. In addition, 92% of organizations said they are concerned about employees following cloud policies to protect that data, and 82% are still so unclear about the shared responsibility model of security that they've experienced a security event as a result. 

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

About the Author

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights