Content, Cloud Security, Content

SaaS and Unmanaged Enterprise Data Access Pose Cybersecurity Risks


Volumes of unmanaged enterprise data have opened the door to a growing number of insider and external cyber threats from malicious actors, a new study said.

Some 40 percent of all cloud-based assets are accessible by employees, vendors and contractors, dramatically increasing the risk of a corporate data breach, DoControl, a New York-based company that sells an automated data access controls platform for software-as-a-service (SaaS) applications, said in its newly-released study, Quantifying the Immense Risk of Unmanaged SaaS Data Access.

Despite the game changing effect that cloud-based applications have had on corporate efficiency and productivity, chief information officers (CIOs) and chief information security officers (CISOs) all too often underestimate the risks posed by unchecked and unmanaged data access by the SaaS provider, DoControl said. The company described its report as a "wake up call" for CIOs and CISOs.

The threats are magnified by a meteoric spike in SaaS revenue, the company said, pointing to researcher Gartner’s estimate that the segment will hit some $140 billion in revenue by 2020, a 38 percent rise in just three years. Indeed, the average 1,000-person company stores between 500,000 to 10 million assets in SaaS applications. Companies enabling public sharing may unwittingly allow up to 200,000 of these assets to be shared publicly, DoControl said.

MSSPs: Time to Focus on SaaS Security Monitoring, Management

Why should MSSPs take note of DoControl’s study? Security specialists have focused on securing access to SaaS applications but unmanaged access to data also increases the risk of breaches.

To quantify its thesis, DoControl aggregated and analyzed data from its customer base, categorizing its key findings by external and insider threat:

Insider threats:

  • Of the companies analyzed, an average of 400 encryption keys are shared internally to anyone with a link.
  • 20% of SaaS assets are shared internally with a link, exposing many employees to data points they are not authorized to view.
  • 8% of employees share their corporate account assets with their personal account, exposing company data to employees on an ongoing basis.

External threats:

  • Between 1,000 and 15,000 external collaborators (vendors, contractors, customers, partners, prospects, media, analysts) have access to company data.
  • Between 200 and 3,000 third-party companies have access to company assets.
  • 18% of SaaS application assets are shared externally and remain shared externally even after deleting users.

“To date, security practitioners have focused on enabling SaaS access in a secure manner, but now is the time to prioritize the relevancy of this data access internally and externally,” said Adam Gavish, DoControl chief executive and co-founder. “Unmanageable data access poses a significant risk to any organization and increases the likelihood of a data breach. While SaaS apps are designed to promote collaboration, this also creates an ever-growing attack surface that requires attention to ongoing data access at scale,” he said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.