Offering employees choices to combat SaaS sprawl
The ease with which employees can sign up for unsanctioned cloud services continues to haunt security operations teams. Call it cloud sprawl, SaaS sprawl, or identity sprawl — all variations on the same theme: Workers or departments signing up for unmanaged cloud services that businesses might not even know about, resulting in redundant services, unmanaged subscriptions, and security debt. In 2023, companies used an average of 112 different software-as-a-service (SaaS) applications, down slightly from the 2022 peak of 130, and those are conservative estimates.
SaaS sprawl is both an IT management and security problem — it complements Shadow IT. Increasingly, CISOs recognize the issue but often take steps that turn their employees into adversaries, not allies.
Here are three ways that businesses can tame their SaaS sprawl.
1. Gain visibility into employees' SaaS choices for security and privacy governance
To paraphrase the adage, “You can’t manage what you don’t measure.” Companies that do not know how many SaaS services are being used by their employees have already lost the battle to secure their data. The failure of companies to properly manage their Snowflake instances, for example, led to potential breaches at approximately 165 firms because many clients didn’t mandate multi factor authentication or single sign-on (SSO) as a core requirement of their security program for accessing their most sensitive information.
Another key challenge in gaining visibility into SaaS usage is when employees use personal devices for work. This practice significantly reduces IT’s ability to track and control which applications are in use, increasing security risks and making it harder to understand the true scale of the SaaS sprawl.
Recommended by LinkedIn
The problem is worse with unknown services or edge-case SaaS usages. About one in every five employees are using a SaaS service that no other person in the company uses. In total, such single-user SaaS services account for 41 percent of all services used by a business, according to one security study.
Analyzing centrally managed credentials stores and logs can help determine which workers are accessing which cloud applications. Larger enterprises may want to employ a more SaaS-focused technology, such as a cloud access security broker (CASB), Secure Access Service Edge (SASE) solutions, or a web-filtering gateway.
2. Point employees toward sanctioned solutions
For nearly half of companies, the most significant concern with SaaS services is securing the entire cloud-app attack surface or controlling the sprawl of SaaS apps — in other words, reducing the attack surface area.
Many companies try to ban employees from using specific services or any service not on a list of pre-approved vendors. While creating friction that makes it harder for workers to adopt non-approved SaaS apps is good, this is a sure way to generate a culture of asking forgiveness, rather than permission.