DoControl’s 2023 SaaS Security Threat Landscape Report Finds 50% of Enterprises and 75% of Mid-market Organizations Have Exposed Public SaaS Assets
March 2023 by Marc Jacob
DoControl released its 2023 SaaS Security Threat Landscape Report, which quantifies the volume, types, and exposure risk of business assets stored within the SaaS estates of medium companies (50 to 1,000 employees) and large companies (1,001 to 6,696 employees). The report found that large and medium companies had an average of 5.5 million and 1.5 million assets stored in SaaS applications respectively, illustrating the challenge IT and SecOps teams face daily in securing the intellectual property those assets contain.
SaaS applications, while both vital and ubiquitous within business technology stacks, expose companies of all sizes to significant security risks stemming from undetected data exfiltration. With large companies averaging 2,775,000 SaaS activities per week involving nearly 55,750 SaaS assets, manually monitoring every event and asset is functionally impossible. The notable shortage of security professionals and the burnout caused by competing priorities demonstrates why security automation is the only feasible approach in this landscape.
The vulnerabilities covered in the SaaS Security Threat Landscape Report are broken out into five different categories:
Whether accidentally or deliberately, insiders can exfiltrate confidential intellectual property and customer information, exposing companies to financial extortion and devastating brand damage. DoControl found that 81% of medium-sized companies and 78% of large companies have encryption files stored in Google Drive/Workspace. An organization may feel secure storing assets in various apps, but they need to be vigilant of assets leaving those domains. As 61% of companies have employees who have shared company-owned assets with their personal email, manually tracking sensitive assets may be more difficult than previously imagined.
External Actors & Access
Control of a company’s data or intellectual property can become tenuous when collaboration extends beyond the company’s security perimeter and files are shared with external parties via SaaS applications. Medium-sized companies in DoControl’s study had on average nearly 224k assets in SaaS applications that have been shared externally, with nine external actors per employee on average.
Compounding this issue is that over-provisioning access to SaaS files can result in those assets being distributed to external collaborators beyond those which they were originally intended. DoControl found large companies had an average of 94,455 publicly-shared assets stored in SaaS applications. Companies need to limit external sharing by implementing least privilege permissioning and by removing access when assets are no longer needed by the parties with whom they were shared.
Third-Party to Fourth-Party Sharing
One of the ramifications of not adequately limiting the data access granted to external parties is third-party to fourth-party sharing. Over the course of the first nine months of 2022, DoControl identified over 1,189 events within large companies where third-party actors shared assets with fourth-party actors. In many instances, trusted third-parties have legitimate reasons for sharing SaaS assets with fourth parties. These situations, however, should be managed by the originator of the SaaS assets. At large companies, 241 fourth-party domains on average have access to its SaaS assets. Without adequate SaaS data access controls, the originators often lose sight of assets shared externally, introducing an unacceptable level of risk.
There are two manifestations of outdated permissions. The first is ongoing access to SaaS assets that are no longer supporting current business objectives. DoControl found 67% of all companies have employees with lingering access to assets stored in Google Workplace that are more than 5 years old.
The second form of outdated permission is access that persists after employees have parted ways with their employer. Out of all companies, 31% have former employees who have accessed assets stored in SaaS applications after they have parted ways with their employer. Unsurprisingly, large companies tend to have more former employees with access (20 on average) than medium companies (slightly more than six on average), but even one former employee – especially a disgruntled one – can present an unacceptable risk.
Third-Party OAuth Applications
Applications often allow integrations with third parties to make workflows more efficient, convenient, or productive. However, third-party applications can also pose a threat to companies, especially when given unnecessary read-write permissions. Granting unnecessary read/write access to applications that may not have strong enough native security controls can open the door to data exfiltration and supply chain-based attacks. The major collaboration application companies often support numerous third-party application integrations. Unfortunately, it’s not uncommon for some of these third-party applications to be overprivileged.
At large companies, Google has an average of 81 third-party application integrations. On average, 27 of those Google integrations have data access and nine are overprivileged.
DoControl helps avoid the devastating consequences of data exfiltration and leakage. Its unique approach to managing SaaS data access remediates any situations highlighted in the SaaS Security Threat Landscape Report by providing centralized, automated, granular data access controls over the SaaS applications in companies’ technology stacks. DoControl’s no-code, automated workflows help IT and security teams manage their SaaS data access so companies can move forward with SaaS deployments confidently, and in a secure manner.
According to Gartner, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements by 2025. To view more insights and begin your own enterprise audit across the five SaaS security benchmarks, download the full 2023 SaaS Security Threat Landscape Report.