Software as a Service (SaaS) applications provide many benefits to organizations, including enhanced scalability, accessibility, reduced vendor lock-in, and faster time to value. However, the rapid increase in the use of SaaS accounts has led to SaaS sprawl, where an organization deploys SaaS apps without proper IT oversight.
The unchecked proliferation of SaaS applications can lead to security and compliance risks. According to IBM, 82% of data breaches stem from vulnerabilities in SaaS environments.
In this article, you’ll learn what causes SaaS sprawl, its impact, and how to strengthen your SaaS security posture management to help mitigate the risk of breaches.
What is SaaS sprawl
SaaS sprawl is the uncontrolled adoption and use of SaaS applications within an organization without proper management. It is a natural byproduct of departments or employees independently purchasing or subscribing to cloud-based applications without coordinating with IT teams or obtaining prior approval.
SaaS sprawl vs app sprawl vs shadow IT vs shadow provisioning
SaaS sprawl is the known or unknown decentralized acquisition of cloud applications by individual employees, departments, or even IT teams. In addition to the growth of SaaS apps being integrated without IT’s knowledge, SaaS sprawl also manifests when employees connect third-party apps to their existing SaaS tech stack.
App sprawl refers to the uncontrolled growth of all applications, regardless of how they are delivered. This can include traditional on-premise software installations, custom-developed applications, and even SaaS applications.
For example, the sales team in your organization may adopt Salesforce to manage customer information, while the customer support team might want to achieve the same goal using Hubspot. As a result, multiple apps performing the same core function exist–posing more security risks and increasing the complexity of IT management.
Shadow IT occurs when a department or employee adopts an IT application such as hardware (PCs, smartphones, etc), cloud services, and off-the-shelf packaged software without involving the IT department. According to Everest Group, 50% of IT spending goes to shadow IT. The lack of visibility into what applications are used or how files are shared and stored weakens security governance.
Finally, shadow provisioning occurs when employees grant other employees access to both approved and unapproved apps without going through formal approval processes. It leads to an uncontrolled increase in permissions on SaaS applications. Shadow provisioning typically happens because it’s easier for employees to grant direct access to SaaS apps than having IT provision new accounts.
What causes SaaS sprawl?
Here are some of the common causes of SaaS sprawl:
Lack of centralized management
70% of companies with over a thousand employees have a SaaS management platform. Given the proliferation of SaaS applications, every organization should ideally have a centralized procurement system that gives IT oversight to manage the acquisition and usage of SaaS apps.
Although decentralized app procurement allows employees to purchase whatever apps they think will make their work easier, it can cause excessive or unnecessary app usage and, eventually, SaaS sprawl.
Limited access control
Access control is a cybersecurity technique that regulates who can view data and how data can be accessed or used by different people in an IT environment. There are physical and logical access control limits, with logical controls performing user authorization and identification authorization by evaluating logical credentials such as security tokens, passwords, and biometric scans.
One of the challenges of using SaaS is that each application has its own unique access control system that can be extremely complex and full of arcane permissions and nested roles. As a result, it’s hard to determine who can access what. Plus, most of the apps use service accounts (a subset of non-human identities) to talk to each other–adding another new, quickly-growing group of privileged identities.
Extensive SaaS application options
The growth of SaaS applications in the market makes it easy for employees to search for and find existing tools to solve almost every need. As a result, employees are increasingly using apps that perform similar functions without even fully utilizing existing ones.
Today, most organizations use an average of 110 SaaS apps, a 14x increase since 2015. However, with this proliferation comes security challenges—specifically, a lack of visibility and the inability to secure user activity and data.
No employee training
Many employees are unaware of the security risks of using unauthorized cloud-based applications to handle sensitive organization data. Without proper employee training about these SaaS sprawl risks – including when to sign up for new applications or how to use these applications – employees will continue to adopt SaaS applications unchecked.
Procurement can be onerous
When SaaS procurement strategies are overly complex or lack incentives for users to follow them, employees often resort to using unauthorized tools. For instance, if a company requires multiple layers of approval and extensive security reviews, the process can take weeks or even months. This creates a burden that discourages adherence to official procurement procedures. To encourage compliance, companies must streamline the process and offer clear guidelines for SaaS app procurement, integration, and usage, along with incentives for following these best practices.
Impact of SaaS sprawl
Here are a few ways SaaS sprawl can affect your organization:
Privilege sprawl
One of the existing solutions to SaaS sprawl is privileged access. This approach involves granting a limited number of users broader access and permissions to configure system settings, manage applications, and oversee data security. By centralizing control in this manner, organizations can streamline the management of SaaS applications to make sure they are used in accordance with company policies and security protocols.
But this solution also gives rise to another problem: privilege sprawl. Privilege sprawl occurs when users accumulate access rights that exceed their required job functions, typically due to being granted privileges for a specific task or project and not having those privileges revoked when the task is completed or when they move to a different role within the organization.
This can lead to a situation where users have more access to systems and data than they should–increasing the risk of security breaches and making it harder to manage and secure the company’s digital environment.
Larger attack surface
The average company manages over 200 SaaS apps. With sensitive business data such as financial information, intellectual property, and customer records spread across multiple apps–both authorized and unauthorized–this constitutes a large attack surface, leaving organizations vulnerable to malicious attacks from threats, both inside and out.
Financial waste
When departments or individual employees procure SaaS tech stacks without IT oversight, the number of applications used in the organization increases and so does SaaS spending. If the finance department cannot accurately estimate the spend for SaaS applications because it doesn’t have visibility into what apps are being used, companies can quickly overspend on SaaS.
Problems with compliance
Organizations must meet compliance regulations like GDPR, SOC 2, HIPAA, and ISO27001, amongst others, to protect the data of their employees and clients. Failing to comply can attract lawsuits, heavy penalties, and a loss of business reputation.
Compliance regulations require strict handling of business data, especially customer information. With SaaS sprawl, business data gets spread across too many platforms, increasing the scope and complexity of compliance efforts.
Operational inefficiencies
With departments in your organization using different SaaS apps to do their day-to-day tasks, the lack of synchronization can affect operational efficiency. For example, if the finance team shares and stores data using Google Drive but the marketing team uses Dropbox, it would be difficult for finance to retrieve data needed from marketing.
With teams using different applications for the same objective, collaboration and productivity can be diminished.
Challenging SaaS management
The IT department is responsible for delivering all applications employees need to work effectively while maintaining security and compliance. However, they can only do this when they control what applications are being used and who is using them.
App sprawl reduces IT visibility on the organization’s SaaS tech stack, making it difficult to schedule app upgrades or prevent data silos and app duplications.
How to mitigate SaaS sprawl
Here are some best practices to follow to avoid SaaS sprawl in your business.
- Conduct regular audits
SaaS audits help identify app redundancy, minimize SaaS spending, and identify security risks and possible data breaches. Audits also enable you to manage user access. With an identity security solution, you can know exactly who has access to what apps and the kind of access they have, allowing you to maintain strict privileged access.
- Gain full visibility of permissions & access
Full visibility of permissions and access gives you absolute control over users, departments, their roles, permissions, and resources they have access to. Transitioning to a hybrid or multi-cloud environment requires a new Identity Governance framework that will allow you to govern access at scale.
With every SaaS app you add to your tech stack comes new permissions. Without a way to visualize and monitor your ever-evolving SaaS stack and increasing permissions, your sprawling attack surface grows wider. Data leakage, non-compliance, insider threats, permission sprawl, and other threats go undetected.
- Centralize your SaaS applications
Create and implement a centralized procurement and management system for your applications. Only authorized employees or departments should be able to purchase new SaaS apps and give access to other employees through proper authentication.
This centralized approach will help both visibility and control over the organization’s SaaS environment, ensuring that software spending is aligned with business needs and eliminating redundant applications that result from department-level or employee-level purchasing.
- Streamline your procurement processes
Make it easier for employees to adhere to the set guidelines for purchasing SaaS applications. For example, you can design a SaaS app procurement portal with inbuilt approval workflows and pre-vetted SaaS apps so that employees don’t download multiple apps to solve their needs and only use pre-approved applications.
- Train employees
Employees must be aware of the security risks and inefficiencies they expose the organization to when they store and share business data across various SaaS applications. Educate employees on the problems caused by SaaS sprawl, the impact it can have on their lives and the business, and how to safely use approved applications.
Regular training sessions, workshops, and updated guidelines should be provided to ensure that all employees are up-to-date with data security best practices and understand the company’s policies regarding SaaS usage.
- Understand your SaaS features
Sometimes, the reason why employees use unauthorized SaaS apps is because the pre-approved apps don’t have all the functionality they need. Before implementing any additional SaaS app, you should evaluate the features of current apps being used to determine whether or not their capabilities are robust enough for employee workflows.
This will reduce unnecessary procurement of apps, SaaS spending and align SaaS usage with business needs.
- Improve departmental communication
Many company departments may operate in silos that disconnect them from other departments in an organization. This isolation makes it difficult for departments to communicate their SaaS needs and for IT to decide which application suits the needs of all departments.
By improving departmental communication, organizations can gain a better understanding of the overlapping requirements between departments and work towards a more integrated approach to SaaS procurement and management.
You can implement an application consultation panel where employees can share concerns, complaints, or questions about your SaaS tech stack and IT can resolve any issues. Or, establish cross-functional teams or committees that involve representatives from various departments as well as IT. These groups can assess SaaS needs, evaluate the potential impact on different parts of the organization, and set guidelines for procurement that take into account the diverse needs of the company.
This practice mitigates the risk of SaaS sprawl and shadow IT because departments are less likely to seek out and procure their own solutions in isolation.
Avoid the consequences of SaaS sprawl with your organization
SaaS can be one of the best things to happen to your organization when it comes to efficiency; however, it can also bring critical, new challenges. If you’ve lost oversight of your SaaS tech stack, you’ve probably experienced SaaS sprawl.
Without a way to visualize and monitor your ever-evolving SaaS stack, data leakage, non-compliance, insider threats, permission sprawl and other threats go undetected and unchallenged.
Fortunately, platforms like Veza make it possible to effectively enforce the principle of least privilege to reduce the risks of inappropriate access in SaaS applications. Veza provides end-to-end visibility over your enterprise IT footprint, including SaaS apps, allowing you to manage privileged access and identify and remove excessive permissions.
By standardizing all permissions across different systems into a simple language–create, read, update, and delete–it’s easier for identity and security teams to see where privileged identities may be hiding. With Veza’s access graph, you have deeper insights into your SaaS ecosystem so you can surface over-privileged identities, dormant or orphaned accounts, and unutilized licenses and access.
Veza continually monitors the state of access across all your SaaS applications. By showing you exactly what permissions an identity (whether human or non-human) has within your SaaS applications—and how those permissions are granted through groups, roles, and the RBAC system of each app —Veza lets you conduct intelligent access reviews that eliminate the excess privileges that accompany SaaS sprawl.
