Looking back at a recent Gartner Security & Risk Summit, a recurring theme was the SaaS Tsunami — the security and compliance issues that arise from the surprisingly large number of SaaS apps in use at companies — and how to address it.
To understand the SaaS Tsunami, ask yourself this question: How many SaaS apps is my organization using?
Do you think it’s 25? 100?
Turns out it’s a staggering 600 to 1000 SaaS apps in use at a typical company, based on Gartner research by analysts Neil MacDonald and Craig Lawson. Even at OneLogin — not a huge firm — we use nearly 300 SaaS apps.
Since IT knows about only 7% of these apps, that means that there are several hundred applications that IT doesn’t know about. Naturally, this poses a huge security challenge for companies. Each of those apps contains unmanaged corporate data that IT has no control over, has zombie accounts that provide ex-employees access and waste budgets, and can violate industry regulations.
Given this, Gartner analyst Jay Heiser explained that SaaS should comprise 90% of your cloud vendor management efforts. He adds that the challenges of the SaaS Tsunami are getting worse as new companies enter the market daily. This is because there are few barriers to entry for SaaS companies, thanks to high productivity developer tools, inexpensive Infrastructure as a Service (IaaS) from Amazon and others, and subscription billing services to underpin revenue. As a result, much of the SaaS application adoption isn’t for “birthright” apps, such as email and file sharing, that every employee uses and IT knows about. Instead, it’s for apps that address specific industry and functional niches that a small number of employees need in order to be more productive.
This highlights the flip side of the SaaS Tsunami: value creation. Employees use these apps to get their jobs done faster. In this sense, the SaaS Tsunami is an aspect of what Gartner calls Mode 2 IT: the part of IT that is more experimental, agile, and business-centric.
To sum up, the SaaS Tsunami isn’t a fringe phenomenon you can ignore. It’s rampant, growing, and carries significant risks — but you can’t and shouldn’t try to get rid of it.
Surviving the Tsunami
So how do you get a handle on the SaaS Tsunami? There are a few strategies we heard:
- Check your corporate credit card statements and expense filings to find SaaS application subscriptions, suggests Jay Heiser, since almost no one uses a SaaS app and doesn’t expense it. (Interestingly, no one named an app that could scan this data to discover SaaS subscriptions. If someone builds this, it will be perhaps the most ironic addition to the SaaS Tsunami.)
- Use a Cloud Access Security Broker (CASB), explains Neil MacDonald, such as OneLogin partners CloudLock or Skyhigh, which are often implemented as forward- or reverse proxies, sitting between cloud service consumers (browsers, mobile apps) and Cloud Service Providers to reveal which SaaS apps are being used.
- Promote the productivity benefits of Identity as a Service (IDaaS) to your employees, suggests Gartner analyst Erik Heidt, and encourage them to tell IT about new SaaS subscriptions so that they can be added to your organization’s Single Sign-on (SSO) app catalog. Employees hate having to remember passwords for all the SaaS apps they use, and Single Sign-on lets them login once to get access to a range of applications — a huge timesaver for employees over the course of a day. The convenience of SSO can be the hook that IT uses to bring SaaS apps out of the shadows.
- Use IDaaS to bring compliance to the Tsunami. Once SaaS apps are accessed via an IDaaS, you can require that users access them via strong passwords, changed regularly (say, monthly or quarterly), and use multifactor authentication when coming from an atypical location.
When considering an IDaaS provider, it’s important to consider whether it can help you tame the long tail of SaaS apps in your organization by asking, how many apps does it work with?
This is an area we’ve put extensive effort into at OneLogin. Our app catalog has connectors to over 4000 apps, and our recently-acquired Portadi machine learning technology provides Single Sign-on to over 90% of web apps, even those not in our catalog. In the unlikely event that your app isn’t covered by our existing catalog or Portadi technology, we make it possible for someone with a basic understanding of HTML and regular expressions to build custom connectors in minutes.
Gartner’s advice around the SaaS Tsunami is well-summarized by conference keynote speaker Colin Powell, who explained on Tuesday that “risk is where opportunity lives”. The SaaS Tsunami contains risks for which we need to prepare, but also provides opportunities for increased agility and productivity.