Offering employees choices to combat SaaS sprawl

The ease with which employees can sign up for unsanctioned cloud services continues to haunt security operations teams. Call it cloud sprawl, SaaS sprawl, or identity sprawl -- all variations on the same theme: Workers or departments signing up for unmanaged cloud services that businesses might not even know about, resulting in redundant services, unmanaged subscriptions, and security debt. In 2023, companies used an average of 112 different software-as-a-service (SaaS) applications, down slightly from the 2022 peak of 130, and those are conservative estimates.

SaaS sprawl is both an IT management and security problem -- it complements Shadow IT. Increasingly, CISOs recognize the issue but often take steps that turn their employees into adversaries, not allies.

Here are three ways that businesses can tame their SaaS sprawl.

1. Gain visibility into employees' SaaS choices for security and privacy governance

To paraphrase the adage, "You can't manage what you don't measure." Companies that do not know how many SaaS services are being used by their employees have already lost the battle to secure their data.  The failure of companies to properly manage their Snowflake instances, for example, led to potential breaches at approximately 165 firms because many clients didn't mandate multi factor authentication or single sign-on (SSO) as a core requirement of their security program for accessing their most sensitive information.

Another key challenge in gaining visibility into SaaS usage is when employees use personal devices for work. This practice significantly reduces IT’s ability to track and control which applications are in use, increasing security risks and making it harder to understand the true scale of the SaaS sprawl.

The problem is worse with unknown services or edge-case SaaS usages. About one in every five employees are using a SaaS service that no other person in the company uses. In total, such single-user SaaS services account for 41 percent of all services used by a business, according to one security study.

Analyzing centrally managed credentials stores and logs can help determine which workers are accessing which cloud applications. Larger enterprises may want to employ a more SaaS-focused technology, such as a cloud access security broker (CASB), Secure Access Service Edge (SASE) solutions, or a web-filtering gateway.

2. Point employees toward sanctioned solutions

For nearly half of companies, the most significant concern with SaaS services is securing the entire cloud-app attack surface or controlling the sprawl of SaaS apps -- in other words, reducing the attack surface area.

Many companies try to ban employees from using specific services or any service not on a list of pre-approved vendors. While creating friction that makes it harder for workers to adopt non-approved SaaS apps is good, this is a sure way to generate a culture of asking forgiveness, rather than permission.

SaaS management platforms can identify non-compliant SaaS users, who can then be offered an approved option. Often users do not know all the SaaS options that satisfy a particular business need. Instead, they use a consumer-grade SaaS service that does not have the same security nor manageability.

Companies that offer workers alternatives to their preferred applications will have more success in moving employees to approved SaaS services and away from dangerous consumer-grade services. In addition, moving employees toward strong credential vaults can help them secure the business and their personal accounts as well.

3. Take every effort to educate your employees

Most employees do not understand how their choices can affect the security of the business. For that reason, companies should educate employees on the impact of how to use sanctioned SaaS applications, why (and how) insecure cloud services can lead to business compromises, and how they can have a favorite service potentially approved by the company.

A key partner in this effort is the Corporate IT team, which should maintain an internally published catalog of approved applications that employees can easily access. Security teams should guide employees towards these sanctioned tools while fostering an engaged community who actively minor and communicate security concerns. This culture is critical to creating a proactive security mindset across a company.

In the fight against SaaS sprawl, employees are not just end users but key partners in building a more secure, efficient, and cohesive SaaS ecosystem. By offering employees clear choices, supported by visibility and education, businesses can empower their workforce while mitigating risks. When employees understand the importance of using sanctioned tools and recognize the impact of their choices, they become active participants in maintaining the security and efficiency of the organization.

Image Credit: Melpomenem / Dreamstime.com

Mario Platt is Vice President and CISO, LastPass.