Headline
DoControl's 2023 SaaS Security Threat Landscape Report Finds Enterprises and Mid-Market Organizations Have Exposed Public SaaS Assets
Volume of SaaS assets and events magnifies risks associated with manual management and remediation.
NEW YORK****, March 1, 2023 /PRNewswire/ – DoControl, the automated Software-as-a-Service (SaaS) security company, today released its 2023 SaaS Security Threat Landscape Report, which quantifies the volume, types, and exposure risk of business assets stored within the SaaS estates of medium companies (50 to 1,000 employees) and large companies (1,001 to 6,696 employees). The report found that large and medium companies had an average of 5.5 million and 1.5 million assets stored in SaaS applications respectively, illustrating the challenge IT and SecOps teams face daily in securing the intellectual property those assets contain.
SaaS applications, while both vital and ubiquitous within business technology stacks, expose companies of all sizes to significant security risks stemming from undetected data exfiltration. With large companies averaging 2,775,000 SaaS activities per week involving nearly 55,750 SaaS assets, manually monitoring every event and asset is functionally impossible. The notable shortage of security professionals and the burnout caused by competing priorities demonstrates why security automation is the only feasible approach in this landscape.
“While we all rely on SaaS applications to improve productivity and collaboration, few have stopped to consider the sheer number of assets that flow in and out of these tools each day,” said Adam Gavish, CEO and Co-founder, DoControl. “Enterprises increasingly consider security when entering business transactions and engagements, which means the risks of a poor SaaS security posture can act as a spoiler for business outcomes. The goal of this report is to quantify and illustrate the chaos so businesses can better understand their risk exposure and act accordingly to regain control of their SaaS estate.”
The vulnerabilities covered in the SaaS Security Threat Landscape Report are broken out into five different categories:
Insider Threats
Whether accidentally or deliberately, insiders can exfiltrate confidential intellectual property and customer information, exposing companies to financial extortion and devastating brand damage. DoControl found that 81% of medium-sized companies and 78% of large companies have encryption files stored in Google Drive/Workspace. An organization may feel secure storing assets in various apps, but they need to be vigilant of assets leaving those domains. As 61% of companies have employees who have shared company-owned assets with their personal email, manually tracking sensitive assets may be more difficult than previously imagined.
External Actors & Access
Control of a company’s data or intellectual property can become tenuous when collaboration extends beyond the company’s security perimeter and files are shared with external parties via SaaS applications. Medium-sized companies in DoControl’s study had on average nearly 224k assets in SaaS applications that have been shared externally, with nine external actors per employee on average.
Compounding this issue is that over-provisioning access to SaaS files can result in those assets being distributed to external collaborators beyond those which they were originally intended. DoControl found large companies had an average of 94,455 publicly-shared assets stored in SaaS applications. Companies need to limit external sharing by implementing least privilege permissioning and by removing access when assets are no longer needed by the parties with whom they were shared.
Third-Party to Fourth-Party Sharing
One of the ramifications of not adequately limiting the data access granted to external parties is third-party to fourth-party sharing. Over the course of the first nine months of 2022, DoControl identified over 1,189 events within large companies where third-party actors shared assets with fourth-party actors. In many instances, trusted third-parties have legitimate reasons for sharing SaaS assets with fourth parties. These situations, however, should be managed by the originator of the SaaS assets. At large companies, 241 fourth-party domains on average have access to its SaaS assets. Without adequate SaaS data access controls, the originators often lose sight of assets shared externally, introducing an unacceptable level of risk.
Outdated Permissions
There are two manifestations of outdated permissions. The first is ongoing access to SaaS assets that are no longer supporting current business objectives. DoControl found 67% of all companies have employees with lingering access to assets stored in Google Workplace that are more than 5 years old.
The second form of outdated permission is access that persists after employees have parted ways with their employer. Out of all companies, 31% have former employees who have accessed assets stored in SaaS applications after they have parted ways with their employer. Unsurprisingly, large companies tend to have more former employees with access (20 on average) than medium companies (slightly more than six on average), but even one former employee – especially a disgruntled one – can present an unacceptable risk.
Third-Party OAuth Applications
Applications often allow integrations with third parties to make workflows more efficient, convenient, or productive. However, third-party applications can also pose a threat to companies, especially when given unnecessary read-write permissions. Granting unnecessary read/write access to applications that may not have strong enough native security controls can open the door to data exfiltration and supply chain-based attacks. The major collaboration application companies often support numerous third-party application integrations. Unfortunately, it’s not uncommon for some of these third-party applications to be overprivileged.
At large companies, Google has an average of 81 third-party application integrations. On average, 27 of those Google integrations have data access and nine are overprivileged.
DoControl helps avoid the devastating consequences of data exfiltration and leakage. Its unique approach to managing SaaS data access remediates any situations highlighted in the SaaS Security Threat Landscape Report by providing centralized, automated, granular data access controls over the SaaS applications in companies’ technology stacks. DoControl’s no-code, automated workflows help IT and security teams manage their SaaS data access so companies can move forward with SaaS deployments confidently, and in a secure manner.
According to Gartner, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements by 2025. To view more insights and begin your own enterprise audit across the five SaaS security benchmarks, download the full 2023 SaaS Security Threat Landscape Report.
Additional Resources:
- Download the SaaS Security Threat Landscape Full Report
- Download the SaaS Security Threat Landscape Executive Summary
- Register for the Webinar
- Read the Blog
To learn more about DoControl, visit the website or request a demo.
Methodology
This report aggregates findings across a subset of companies for which DoControl performed an audit of SaaS data access control and exposure. We have compiled the findings from audits of a cross-section of companies ranging in size from 11 to 6,696 employees. In situations where DoControl saw significant differences in the findings by company size, it broke those results out into two groups — medium-sized companies (50 to 1,000 employees) and large enterprises (1,001 to 6,696 employees). In situations where the difference between the two groups was insignificant, DoControl reported just one overall statistic.
About DoControl
Founded in 2020 and headquartered in New York, DoControl is an automated data access controls platform for SaaS applications, improving security and operational efficiency with ease for enterprises. DoControl is backed by investors Insight Partners, StageOne Ventures, Cardumen Capital, RTP Global and global cybersecurity leader CrowdStrike’s early stage investment fund, the CrowdStrike Falcon Fund. The company’s leadership team combines product, engineering and sales experience across cybersecurity, enterprise and SaaS innovators. For more information, please visit www.docontrol.io. Follow us on Twitter and LinkedIn.