DoControl recently announced a new report, Quantifying the Immense Risk of Unmanaged SaaS Data Access, which highlights how the vast amounts of unmanaged data in today’s enterprises has led to a growing number of insider and external threats to global organizations. With 40% of all SaaS assets unmanaged, there is a greater degree of internal, external, and public access to sensitive data.
According to Gartner, global SaaS revenue will grow by nearly 38% to more than $140 billion between 2019 and 2022. Although cloud-based applications dramatically increase the efficiency and productivity throughout an enterprise, there is a significant threat that is often underestimated by CIOs and CISOs: the unchecked and unmanaged data access by the SaaS provider. And with the growing adoption of SaaS applications, this threat is growing exponentially, putting companies at greater risk for data leaks.
As a benchmark, the average 1,000-person company stores between 500K to 10M assets in SaaS applications. Companies enabling public sharing may unwittingly allow up to 200,000 of these assets to be shared publicly. DoControl aggregated and analyzed data from its customer base, and categorized its key findings by external and insider threat:
- Insider threats:
o Of the companies analyzed, an average of 400 encryption keys are shared internally to anyone with a link.
o 20% of SaaS assets are shared internally with a link, exposing many employees to data points they are not authorized to view.
o 8% of employees share their corporate account assets with their personal account, exposing company data to employees on an ongoing basis.
- External threats:
o Between 1,000 and 15,000 external collaborators (vendors, contractors, customers, partners, prospects, media, analysts, etc.) have access to company data.
o Between 200 and 3,000 external (specifically third-party) companies have access to company assets.
o 18% of SaaS application assets are shared externally and remain shared externally even after deleting users.
“The past year forced many organizations to collaborate with many external parties and adjust their existing workforce to support remote collaboration,” said Adam Gavish, CEO and Co-Founder of DoControl. “To date, security practitioners have focused on enabling SaaS access in a secure manner, but now is the time to prioritize the relevancy of this data access internally and externally. Unmanageable data access poses a significant risk to any organization and increases the likelihood of a data breach. While SaaS apps are designed to promote collaboration, this also creates an ever-growing attack surface that requires attention to ongoing data access at scale. DoControl is committed to helping organizations ensure that no unauthorized person has access to company data, all without slowing down business enablement or changing the end-user’s day-to-day work.”