According to a new report by Torii, 69% of tech executives are concerned about the security risks posed by shadow IT in relation to SaaS or cloud adoption. The majority of respondents have made exceptions to their SaaS security protocols, with 80% doing so because the applications were adopted outside IT’s purview. To combat these and other SaaS sprawl concerns, 64% are evaluating or planning to deploy SaaS management tools.
The 2022 SaaS Visibility and Impact Report, looked at a number of risks and concerns raised by technology executives when it came to their SaaS/cloud deployments. The survey looked at those firms with more than 75% SaaS software within their organizations to find out how the COVID-19 pandemic has impacted their day-to-day tasks and how their organizations approach IT.
Uri Haramati, CEO and co-founder of Torii, commented
“The new reality of distributed and remote work has driven Shadow IT to a whole new level, empowering employees to provision and manage their own cloud applications. While that’s allowed teams to innovate faster, it’s also led to increased security risk and a complete breakdown of old tools and methods for managing it. They weren’t designed for SaaS and the Shadow IT explosion, and simply cannot keep up. SaaS warrants a completely new approach. Businesses are beginning to realize this and take more effective measures for managing their SaaS stack and mitigating the risks.”
The pandemic accelerated SaaS adoption: Over half (54%) of respondents report their company’s leadership views technology differently now than before the COVID-19 pandemic, with 53% stating that the pandemic increased their SaaS tool adoption. 32% claimed this increased their security risk.
SaaS app visibility and security risks are top of mind: The biggest security-related concerns among tech executives include shadow IT (69%), off-boarding employees from applications (59%), and remote workers exposing data (56%).
Shadow IT isn’t going away anytime soon:
- 52% of survey respondents said individual employees are purchasing apps without IT’s knowledge
- 36% say the same is happening with line of business (LOB) managers
The report pointed out that if IT and security teams have no visibility into their Shadow IT applications, they have no way of protecting the data flowing through them. This becomes increasingly clear when people leave a company when former employees aren’t off-boarded from Shadow IT apps – and sometimes even from sanctioned apps. This means they can still access sensitive corporate information even after they’ve left.
Security protocols are lapsing: Adherence to security protocols has suffered. The report found that 55% of organizations have made exceptions to their protocols for SaaS applications. The reason? The vast majority (80%) say it’s because the applications were adopted outside IT’s purview.
Identify access management & single sign on aren’t sufficient: Almost all survey respondents (90%) use identity access management (IAM) or single sign-on (SSO) to reduce exposure to security threats. However, IAM and SSO tools are focused on known applications. They don’t uncover or have visibility into Shadow IT applications.
SaaS management plans are in the works: SaaS applications will continue to dominate organizations’ tech stacks. Virtually all (94%) respondents expect the number of SaaS apps in their company to increase in the next two years.
This report confirms our concerns raised about ungoverned SaaS usage, usage that’s increased rapidly since 2020. What’s particularly concerning is the finding that solutions get embedded by departments and users which then require IT & Security teams to relax security controls. Clearly, this is not ideal but it’s the harsh reality of IT being overtaken by the business. As organisations embark on a new wave of digital transformation it’s not possible for CIOs to stand in the way of innovation, particularly once that innovation is in use and delivering business value. After all, with increasingly niche SaaS applications it’s the users of those applications who know whether they meet their use cases, not IT.
CIOs & CISOs therefore need to tread a fine line between enabling innovation and keeping the organisation safe, and this is where the comprehensive capabilities offered by SaaS Management tools help. By automatically detecting new SaaS apps as they’re deployed for the first time IT governance teams can engage with users and application owners to ensure that they meet minimum security and governance standards before they become established. For more on this see our webinar, presented in conjunction with Chris Shakarian, VP of Marketing at Torii.