40% of SaaS data access is unmanaged, creating significant insider and external threats to global organizations: Study

There is a magnitude of SaaS data exposure, with 40% of all SaaS assets unmanaged, providing internal, external and public data access, according to DoControl’s report, titled Quantifying the Immense Risk of Unmanaged SaaS Data Access. The study provides data-driven insights into the growing number of insider and external threats due to vast amounts of unmanageable data in today’s enterprises.

According to Gartner, global SaaS revenue will grow nearly 38% to more than USD 140 billion between 2019 and 2022. Although cloud-based applications dramatically increase the efficiency and productivity throughout an enterprise, there is a significant threat that is often underestimated by CIOs and CISOs - unchecked and unmanaged data access by the SaaS provider. And with the growing adoption of SaaS applications, this threat is growing exponentially, putting companies at greater risk for data leaks. 

As a benchmark, the average 1,000 person company stores between 500K and 10M assets in SaaS applications. Companies enabling public sharing may face up to 200,000 of these assets being shared publicly. DoControl aggregated and analyzed myriad data from its customer base. Below are key findings categorized by external and insider threats:

Insider threats:

• Of the companies analyzed, an average of 400 encryption keys are shared internally to anyone with a link.
• 20% of SaaS assets are shared internally with a link, exposing many employees to data points they are not authorized to consume.
• 8% of employees share assets from their corporate with their personal accounts, exposing many former employees to ongoing company data.

External threats:

• Between 1,000 and 15,000 external collaborators (vendors, contractors, customers, partners, prospects, media, analysts, etc.) have access to company data.
• Between 200 and 3,000 external (specifically third-party) companies have access to company assets.
• 18% of SaaS application assets are shared externally and remain shared externally even after deleting users.

“The past year forced many organizations to collaborate with many external parties and adjust their existing workforce to support remote collaboration,” stated Adam Gavish, CEO and Co-Founder of DoControl. “To date, security practitioners focused on enabling SaaS access in a secure manner, now is the time for them to prioritize the relevancy of this data access internally and externally.  Unmanageable data access poses a significant risk to any organization and increases the likelihood for a data breach. While SaaS apps are designed to promote collaboration, in this ever growing attack surface security teams must pay attention to ongoing data access at scale. DoControl is committed to helping organizations ensure no unauthorized person has access to company data without slowing down business enablement nor changing the end user’s day to day work.”