Cloud Security 101: What Are Cloud Security Blind Spots?
Software as a service (SaaS) is the latest technology revolutionizing the way we work. It makes collaboration easier than ever. But as SaaS adoption continues to rise, it also creates hard-to-see threats and unforeseen challenges for IT.
As a result of widespread adoption of SaaS applications like Dropbox, Slack, Salesforce, Box and G Suite, the volume of user interactions (e.g., sharing files, forwarding emails, granting elevated privileges, exporting reports, collaborating with external people) in the digital workplace has increased exponentially. But while users reap the benefits of enhanced collaboration, IT has no way to monitor or understand these interactions going on across SaaS applications.
People are interacting and sharing information both inside and outside the organization, but IT cannot visualize or manage risky configurations, files, and settings across applications for strong cloud security. Unfortunately, native admin tools are not powerful, granular, or sophisticated enough for IT to secure their SaaS environments properly. This raises the risk of data breach threats and related data loss.
This is creating blind spots that lie undiscovered below the surface, waiting like a dormant volcano to erupt. Blind spots are hidden threats that you probably don’t know exist, and it’s likely that you won’t know about them until a security incident happens.
The old adage goes, “You don’t know what you don’t know.” IT is essentially flying blind, but it’s not their fault. It’s nobody’s fault, as a matter of fact. We have not yet arrived at a time when we have official certifications or industry best practices in SaaS management.
It’s important to be aware of, and proactive about, blind spots for a number of reasons. Beyond protecting the sensitive proprietary information of your company, protecting your company against blind spots is necessary if you want to be in compliance with regulations such as GDPR or HIPAA. You need to ensure you have a secure cloud solution.
What Are the Riskiest Blind Spots?
By now you’re probably wondering what the most common cloud security blind spots are so you can start mitigating their risks. Two of the blind spots that we see most frequently, and can be the most insidious, are 1) too many super admins, and 2) ex-employees who retain access to their SaaS applications.
Too many super admins
On average, how many super admins do you have in each SaaS app?
I would bet that you have more than you think. Most IT professionals think they have one to three, which is the ideal number. In reality, most IT teams have somewhere between 13-19 super admins per SaaS app and don’t realize it. This blind spot poses a big security risk—each additional admin is a potential endpoint to hack and only increases your attack surface.
How does a company rack up so many super admins? Employees often request elevated access to complete a task or project. Because SaaS apps lack granular admin roles, IT is forced to assign super admin rights.
However, these elevated permissions are frequently forgotten about and never revoked once the task or project is finished. Natively, there is no easy way to track or automate this process. As a result, you end up with an excess of super admins—far too many people set to “God mode.” The least privilege model is a security best practice, but SaaS apps don’t give admins the tools to implement it.
Admin permissions are a universal blind spot, and a critical one at that. Regulations like GDPR require you to control privileged access and minimize them as much as possible.
Ex-employees who still have access to data
Here’s a follow-up question for you: Are there any ex-employees who still have access to your organization’s data? Would you have any idea if they were continuing to log in? Probably not. This is another prominent blind spot for organizations.
In fact, 76% of IT professionals believe that former employees still have access to their organization’s data. Talk about a blind spot.
If employees aren’t off-boarded thoroughly and correctly, then they retain data access. And there’s a lot of damage ex-employees can do, particularly if they’re disgruntled (for example, lost data, IP theft, compliance failures, sabotage, data breaches).
This blind spot exists because off-boarding is a manual, time-consuming process prone to human error. Off-boarding an employee completely is a multi-step process that is cumbersome at best. Many admins put it off, much like chores or taxes, or just forget to do certain steps altogether. This is a critical blind spot because it’s difficult for IT to know which ex-employees still have access, what level of access they have, which apps they have access to, etc.
As businesses adopt more SaaS apps and move more fully to the cloud, collaboration will continue to become more seamless. However, SaaS adoption will also put businesses at an elevated risk of falling victim to unchecked blind spots. Fortunately, these new blind spots are manageable so long as you know what to look for and how to protect your business from them.
What to do about it
To get visibility into major blind spots, IT and security teams need a way to surface critical insights. A SaaS Operations Management platform like BetterCloud uses a library of SaaS application APIs to provide alerts for risky application configurations, document settings and privileged access, which can then trigger automated remediation workflows. These types of tools provide new ways to secure user interactions, empowering IT to manage and secure their digital workplaces more effectively through secure cloud infrastructure.