The democratization of IT fundamentally redefines what it means to be a CIO or CISO. This trend is not a mere adjustment but a profound shift reshaping the industry posing risks to identities within organizations.

Currently, 53% of applications are managed outside IT departments, and 34% of technology purchases are made by line-of-business managers, bypassing traditional IT channels entirely. While there are some benefits — quick tool onboarding to help streamline workflows — this transformation in technology adoption and utilization within organizations introduces new challenges for security teams.

What are the Risks of Decentralized SaaS Adoption?

SaaS (software-as-a-service) is now crucial for many organizations due to its easy implementation, scalability and cost-effectiveness. Departments can quickly and efficiently deploy tools without the lengthy IT procurement processes. However, the immediate benefits seen often blind organizations to security risks, fueling the trend of decentralized SaaS adoption.

According to a recent report, 80% of employees adopt SaaS applications without IT approval, creating risk within organizations. When departments independently adopt SaaS applications, the security team often loses visibility and control, making these environments highly vulnerable to attacks. For instance, the finance department might use an app like Canva to create presentations and input sensitive financial data without IT’s awareness. If a breach happens, this data could be exposed to malicious actors, causing severe damage to the organization. The lack of IT oversight makes it nearly impossible to monitor all SaaS applications in use, which could lead to adverse outcomes.

Decentralized SaaS adoption doesn’t just create risks with current employees; it also poses threats when employees leave. Their SaaS accounts, unknown to IT, remain vulnerable and unmanaged, increasing security risks. Given these challenges, security teams must ask: How can we ensure monitoring, governance and security for SaaS applications beyond our direct control?

Connecting Decentralized SaaS Adoption to the Shared Responsibility Model in Cloud Security

Let’s compare decentralized SaaS adoption to another major shift in IT: The transition to cloud computing. When organizations first moved to the cloud, they encountered similar challenges in securing environments outside their full control. This prompted the creation of the shared responsibility model, especially championed by AWS.

In this model, cloud service providers are accountable for securing the cloud infrastructure, while customers are responsible for protecting the data and applications within that infrastructure. This framework has been crucial in clarifying roles and responsibilities, leading to enhanced overall security.

Some parallels exist between shared responsibility in the cloud and decentralized SaaS. In a traditional IT environment, the central IT department oversees and secures all applications. However, in a decentralized SaaS environment, security responsibility must be distributed between the SaaS provider, the central security team and the individual departments and employees utilizing these applications.

This requires establishing clear guidelines and protocols for SaaS adoption and usage. Departments need to be educated and empowered to take ownership of their security responsibilities, while the central security team provides oversight, tools and support to ensure compliance and mitigate potential risks. This is the only way to ensure that SaaS application adoption is both effective and safe.

Steps to Mitigate Risk

To combat risk, it is imperative to centralize SaaS application infrastructure so teams can reap the benefits of applications while keeping IT informed so they can help prioritize security. Steps organizations can take include:

1. Gain continuous discovery of apps and identities: This ensures IT stays informed about changes in app usage, associated privileges and outdated accounts, allowing them to take action when necessary.
2. Implement a shared responsibility model for SaaS security: Implementing this strategy will hold both security teams and individual departments accountable for managing apps and associated identities, helping to minimize security risks.
3. Incorporate tools that automatically increase visibility: Automation tools can streamline the SaaS inventory process, providing a real-time view that helps organizations quickly regain visibility and control over unmanaged SaaS sprawl.

SaaS applications boost productivity, cut costs and streamline workflows, but the security risks cannot be ignored. Keeping IT and security teams informed about SaaS adoption is crucial to protecting sensitive information, preventing breaches and protecting employee identities from threats. Organizations should embrace shared responsibility between IT and employees to ensure both security and operational success and mitigate the risk of major adverse outcomes from potential incidents.