[By Adam Gavish, CEO and Co-Founder DoControl]
Google Drive. Slack. Microsoft 365.
They’re the SaaS apps we use on a daily basis to keep our business workflows running smoothly, efficiently and… securely?
Maybe not. Yet.
DoControl’s recently released The State of SaaS Data Security 2024 report revealed a striking picture of ballooning SaaS asset and user numbers alongside security gaps that open the door to exploitation.
The report, based on data from DoControl’s survey and analysis of the SaaS environment of companies with over 1,000 employees, points to incredible SaaS asset growth. Companies started, on average, with 7.9M SaaS assets at the beginning of 2023 and created 14.9M more assets over the course of the year. If this annual asset growth rate of 189% continues, by the end of 2026 the average company will have about 550 MILLION SaaS assets.
Many of these assets contain sensitive data, ranging from strategic business information, like budgets and product roadmaps, to highly regulated data such as client lists and employee details. When the right parties can access this data at the right time, all is well.
But when a former employee accesses company assets two years after their termination, or a departing executive shares dozens of sensitive assets with a personal email address, all is decidedly not well. And these are distressingly common phenomena. 9 out of 10 companies analyzed in the report had former employees who accessed assets stored in company SaaS applications after they left the company.
All is not well, moreover, when parties are given access to data they do not need and should not have. This is very easy to inadvertently do in SaaS applications. So easy, in fact, that by the end of 2023, the average company had 2.1M sensitive assets exposed company-wide, creating a clear lack of ethical walls within the organization. In addition, the average company had 35K sensitive assets exposed publicly, inviting theft of business secrets and regulatory compliance penalties.
Ease of asset sharing also means that company data can quickly make its way far from the organization. The number of new third-party insiders created over the course of 2023 by the companies analyzed, and the scope of assets shared by those third parties to their own contractors and partners is eye-opening. Ever-widening concentric circles of sharing and collaboration makes it too easy to lose control of your SaaS assets – unless you have the proper safeguards in place.
The State of SaaS Data Security 2024 report highlights the need to consider not only the human actors who have access to your SaaS environment, but also the non-human ones. Third-party apps are one of the productivity boosters of SaaS – but why should an app have more permissions than it needs for its function? And yet they do: 64% of active third-party OAuth apps are over-permissioned.
Even when an app does its job – and only its job – if it sticks around after its job is done it becomes an unnecessary risk. But while users will eagerly add apps that they think will help productivity, remembering to remove them is a different story. 90% of the third-party apps DoControl noted in their analysis had not been used in over 30 days!
An additional factor complicates keeping on top of security in the SaaS environment: the general trend across industries toward reducing information security headcount. Especially if organizations are still taking a manual approach to SaaS data security – which, in light of the rate of increase of SaaS assets and users, becomes ever more futile – fewer information security team members makes the attempt even more challenging.
There’s no going back on SaaS usage – and, overall, that’s a good thing. The benefits to productivity and efficiency are undeniable. But The State of SaaS Data Security 2024 report is a valuable reminder that SaaS data security innovation must keep pace with SaaS innovation in order for companies to net positive on their SaaS investment.
Bio:
Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15 years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy for Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products to improve the payment experience for 300M customers globally. Adam has also been a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M. Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife. Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.
