Cloud computing has been nothing short of a revolution in business. The positive aspects of accessing applications from anywhere, at any time, have allowed companies to grow and innovate. Today, organizations embrace applications delivered using a Software-as-Service (SaaS) model. However, several elements of SaaS have come together to cause SaaS sprawl. These include the mass availability of apps and subscription models that make purchase more affordable and easier. This situation has led to an increase in unmanaged SaaS adoption, and consequently, SaaS sprawl. Uncontrolled and unmanaged apps have, in turn, led to poor access governance, increased data risk, and security gaps. 

AccessOwl discusses how Saas sprawl occurs, the risks it brings to an organization, and how those risks can be managed.

How does Saas sprawl happen?

Businesses have been able to dip into a sea of SaaS applications since cloud computing provided the conditions for a SaaS environment. Data from Statistica demonstrates the surge in uptake of apps. In 2015, the average number of SaaS apps used per organization was 8. By 2022, this number had soared to 130 SaaS apps per company. The business-led IT movement, where business units purchase apps without using the formal IT procurement process, is behind much of the increase in SaaS usage. However, the proliferation of apps in the enterprise is a SaaS management, governance, and security challenge. Apps are generally sourced on an individual department basis and are often even brought into an enterprise by individuals. The result is a need for more oversight of apps used to create and share sensitive company and customer data. 

Companies with gaps in app visibility are exposed to security breaches, poor workflow processes, and regulatory non-compliance.

How is SaaS sprawl related to shadow IT?

Shadow IT describes applications that are not sanctioned by a company, yet are still being used for business purposes. A recent report found that 65% of SaaS apps are unsanctioned. End users’ adoption of "dark apps" may seem innocent, but it leaves an organization vulnerable on many levels.

Shadow IT apps enter the enterprise when departments purchase them without first checking with IT. This often creates duplication and unnecessary licensing costs. Individual employees may also choose to use an app with poor security. The security implications alone are causing concern. A 2023 Capterra study found that 76% of small to medium-sized organizations were concerned that shadow IT apps made them vulnerable to cybersecurity threats.

Shadow IT exacerbates Saas sprawl. IT administrators, security professionals, and the C-Level do not know which, if any, shadow IT apps are being used, allowing Saas sprawl to continue unabated.

Read more on the dangers of Shadow IT and how to avoid them.

How does Saas sprawl impact the enterprise?

Saas sprawl is an insidious problem. Not knowing where SaaS data is being created, with whom it’s being shared, and who currently has access to it is a security nightmare. The impact of Saas sprawl on the enterprise covers many critical areas, including:

Poor visibility and lack of governance

You can’t control what you don’t know about. Out-of-control SaaS adoption can be invisible to IT when there’s no centralized management system in place. Shadow IT exacerbates this problem. SaaS apps can quickly become uncontrollable, leaving IT with little or no governance over the apps’ usage, output, or accessibility.

Duplication and training

Out-of-control app purchases result in duplicate licenses, redundant apps, and wasted money. Having too many apps can also lead to training challenges, as end users must continuously be trained in new apps and new ways of working.

Interdepartmental issues can also arise from SaaS Sprawl. Compatibility issues around format and sharing protocols when departments favor different apps can become management and control challenges.

Poor app governance

Software procurement processes should ensure that any software purchase undergoes a full evaluation. This evaluation will typically examine the alignment of the chosen app with business goals and required functionality. The evaluation process should also check essential requirements, such as fit with regulatory compliance including ISO27001, SOC2, and general security posture.

Insecure practices and siloed data

Uncontrolled apps lead to challenges in data sharing and document workflow management. Apps that aren’t fully evaluated for their security impact can add risk to data exchange. The location and handling of data are also subject to compliance with ISO 27001 and SOC2. Without fully documented and evidenced data flows, a company will find itself in non-compliance with data protection and privacy regulations and standards. 

Why is access management and governance essential to manage SaaS sprawl?

Identity and access management (IAM), shored up by a robust layer of identity and access governance (IGA), is essential to de-risk the impact of app sprawl. Data protection is put at risk by app sprawl. Sensitive data can easily be exposed if access control and security policies are not enforced. If an app is not correctly configured or it’s outside the control of authentication and authorization policies, the app could be an easy target for an attack. Techniques including brute forcing of weak passwords and credential stuffing are commonly deployed against SaaS apps. A recent brute force attack that hacked group Midnight Blizzard on Microsoft's Office 365 environment exploited the weak password security of a defunct testing account. 

The following areas exemplify why an effective access management and governance strategy is essential:

Shadow IT discovery

Enterprises that deal with large numbers of SaaS apps must utilize access management and access governance. To ensure that all apps are covered by comprehensive access control policies that reflect least privilege access, apps must be discovered. OAuth monitoring can help identify apps and even locate shadow IT apps. Once apps are documented, they can be taken under the control of a centralized access management system. Tools to automate access requests can be used to manage authentication and authorization.

Insider threats

It isn’t just external threat actors that put SaaS apps at risk. Insider threats, like ex-employees who haven’t had their access rights to SaaS apps revoked, account for 22% of security incidents. So timely deprovisioning of employees is essential to manage data security.

Permission sprawl

App sprawl can result in permission sprawl, whereby access permissions are out-of-sync with the access needs of individuals and teams. Single Sign On (SSO), where a single set of credentials is used to simultaneously log in to multiple apps in a single session, can help de-risk apps and the associated permission sprawl that occurs with uncontrolled apps.

Provisioning

Similarly, employee onboarding and offboarding are controlled and optimized by enforcing access control measures across all SaaS apps. Using automation tools that manage access requests and remove redundant access reduces security risks associated with staff leavers and movers.

Third party vendors

Similarly, third-party vendor management and vendor risk are handled by enforcing access control and governance across the SaaS ecosystem.

Automation

IT departments welcome automation tools that handle access management, as they reduce the workload. Automation tools ensure a "just-in-time" approach to provisioning and privileged access management that reduces IT overhead. Automation of access control policies and updates to access requests and requirements also reduce human error when dealing with large numbers of apps.

Adherence to regulations is another aspect of app sprawl that can be managed by ensuring that IAM and IGA encompass all SaaS apps in an enterprise's portfolio.

Saas sprawl best practices

Following a series of best practices will help maintain, govern, and secure SaaS apps:

Establish and maintain SaaS governance policies

Develop SaaS policies that reflect your business goals and needs. The policies should cover management of shadow IT, documentation of SaaS apps, visibility, security, privacy, compliance risks, and risk management. For example, a security policy would include items such as the use of least privileged access. Shadow IT policy would include protocols and procedures for approving and managing new SaaS applications.

Auditing and assessments

Auditing and assessment are essential components of many compliance programs. However, this discipline should simply be an integral part of governing your SaaS app portfolio. Audit results allow you to remove unnecessary or duplicated apps, as well as adjust the configuration and access control requirements for legitimate SaaS apps.

Employee training and collaboration

Employees are at the forefront of SaaS app sprawl. Educate your employees on the importance of implementing SaaS app governance and the risks posed by shadow IT. Employees across departments should be made aware of the cross-over of apps used by various employees. Collaboration among departments can help prevent duplicate app purchases.

Identity security and access control for SaaS apps

Saas sprawl is a consequence of many modern business practices. Security gaps caused by app sprawl can be mitigated using robust authentication and authorization based on least privilege access rights. Automation tools can help establish these rights across the entire app portfolio. All best practices should come together to consolidate effective app governance.

Access sprawl and regulatory compliance

App sprawl allows risks to enter the enterprise. It also leads to data sprawl, whereby sensitive data is created and shared without governance. Data sprawl leaves enterprises in the dark about what data they have, where it’s stored, and who has access to it.

This lack of control and oversight leads to compliance violations against regulations and standards like SOC2 and ISO27001, which require strict access control and authorization of access to sensitive data.

As apps proliferate, management and control of the data created, shared and stored in these apps becomes more complex and challenging. Out of control apps become exploitable. However, by applying some governance best practices, the security posture of an organization can be substantially improved.