How SaaS sprawl extends vulnerability management

The new management problem organizations must solve is safeguarding the modern mesh of SaaS and cloud accounts.

This article was originally published on the Forbes Technology Council.

‍

Imagine a future where we no longer have to manage software. A future where we no longer have racks of servers in a closet each running a business critical system that we have to update, that we have to patch, that we have to ensure uptime for. A future where our employees can test new software without any hurdles, where our businesses can adapt and evolve flexibly and nimbly. Our productivity would skyrocket, our businesses would be more competitive, and we’d be able to better serve our customers.

‍

For many, that future has been a reality for quite some time. With the rapid transition of on-premise software to SaaS services, we are seeing these promises realized—whether we acknowledge it or not. Our employees have adapted to a new world, and on a daily basis, they’re adopting new technologies to help improve their daily lives and get their jobs done better and faster. As a further benefit, this shift has reduced the burden on our IT teams, removing many of the mundane tasks of managing these services locally. We are suddenly living in a world we could only dream of a few years ago—one of improved productivity, reduced maintenance work, and a dramatically improved employee experience.

‍

Part of the work that has magically disappeared is the never-ending project of vulnerability management. Many of the mundane tasks that came along with on-premise software was dealing with the relentless deluge of vendor patches for security issues. The number of software packages running and the volume of security updates drove most organizations to establish vulnerability management programs to cross-check the work of those managing this software—a process intended to ensure that everything was up-to-date and no service was left forgotten in a dusty closet somewhere. But as we look to our near-future state of a solidly SaaS-first enterprise, what does this mean for our vulnerability management programs?

‍

The modern company is a mesh of SaaS services. (Sure, not every company is quite at this stage, but those that aren’t are rapidly moving in that direction.) Our digital transformation is well underway: Whether it’s moving legacy apps to the public cloud or migrating old systems to modern SaaS equivalents, the world is migrating away from in-house hosted software and toward cloud infrastructure and SaaS. 

‍

If you are running virtual instances in a public cloud environment, you still have a vulnerability management issue. Hopefully, the broader risk of those instances is dramatically reduced with the proper network controls, and it’s easy to quickly iterate. But, as your organization moves to consuming the public cloud as an API or in a serverless form, your responsibility for vulnerability management starts to shift. This doesn’t mean you can kick back and take November off—it means you need to manage the problem that is rising to replace it.

‍

In most organizations, up to half of the SaaS services in use are introduced by employees. While your responsibility is not the detection of vulnerabilities within these services, a new management concern emerges. Each service introduced to your organization is a new place for your corporate IP to land, a new place your customer data can reside, a new service that might disrupt your business. This mesh of cloud and SaaS services comprises the new external attack surface: Though not every account contains data, every single account represents a way into your environment, and can be used to further an attacker’s reach into your organization.

‍

These types of attacks have been a growing trend over the last few years. As we look at the headline compromises (EA, GitHub, Microsoft, CircleCI, LastPass), we see a consistent theme: Attackers target SaaS accounts as the initial point of entry, or as a way to pivot through the organization. The new management problem organizations must solve—and quickly—is safeguarding the full estate of SaaS and cloud accounts. Needless to say, without full visibility of what accounts exist, that’s an impossible task.

‍

How Nudge Security can help

Nudge Security was built to help mitigate and manage SaaS sprawl—and that project begins with discovery. With Nudge Security, not only can you see every cloud and SaaS account as it’s created, but we also provide insight into how your SaaS apps are connected with detailed visibility of OAuth grants, including scopes and who granted access. And with automated nudges, you can gain valuable context by asking how and why employees will use apps as they adopt them, reduce SaaS sprawl by guiding employees to use preferred alternative apps, and encourage employees to transfer ownership or delete accounts they no longer need. Sign up for a trial today to see your organization’s SaaS footprint in a few minutes.

Related posts

Report

Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors