Security Threat Report Finds Exposed Public SaaS Assets

DoControl today released its 2023 SaaS Security Threat Landscape Report, which quantifies the volume, types, and exposure risk of business assets stored within the SaaS estates of medium companies (50 to 1,000 employees) and large companies (1,001 to 6,696 employees). The report found that large and medium companies had an average of 5.5 million and 1.5 million assets stored in SaaS applications respectively, illustrating the challenge IT and SecOps teams face daily in securing the intellectual property those assets contain.

SaaS applications, while vital and ubiquitous within business technology stacks, expose companies of all sizes to significant security risks stemming from undetected data exfiltration. With large companies averaging 2,775,000 SaaS activities per week involving nearly 55,750 SaaS assets, manually monitoring every event and asset is functionally impossible. The notable shortage of security professionals and the burnout caused by competing priorities demonstrates why security automation is the only feasible approach in this landscape.

“While we all rely on SaaS applications to improve productivity and collaboration, few have stopped to consider the sheer number of assets that flow in and out of these tools each day,” said Adam Gavish, CEO and co-founder, DoControl. “Enterprises increasingly consider security when entering business transactions and engagements, which means the risks of a poor SaaS security posture can act as a spoiler for business outcomes. The goal of this report is to quantify and illustrate the chaos so businesses can better understand their risk exposure and act accordingly to regain control of their SaaS estate.”

The vulnerabilities covered in the SaaS Security Threat Landscape Report are broken out into five different categories:

  • Insider Threats – Whether accidentally or deliberately, insiders can exfiltrate confidential intellectual property and customer information, exposing companies to financial extortion and devastating brand damage. DoControl found that 81 percent of medium-sized companies and 78 percent of large companies have encryption files stored in Google Drive/Workspace. An organization may feel secure storing assets in various apps, but they need to be vigilant of assets leaving those domains. As 61 percent of companies have employees who have shared company-owned assets with their personal email, manually tracking sensitive assets may be more difficult than previously imagined.
  • External Actors & Access – Control of a company’s data or intellectual property can become tenuous when collaboration extends beyond the company’s security perimeter and files are shared with external parties via SaaS applications. Medium-sized companies in DoControl’s study had on average nearly 224k assets in SaaS applications that have been shared externally, with nine external actors per employee on average.
  • Third-Party to Fourth-Party Sharing – One ramification of not adequately limiting the data access granted to external parties is third-party to fourth-party sharing. Over the course of the first nine months of 2022, DoControl identified over 1,189 events within large companies where third-party actors shared assets with fourth-party actors. In many instances, trusted third-parties have legitimate reasons for sharing SaaS assets with fourth parties. These situations, however, should be managed by the originator of the SaaS assets. At large companies, 241 fourth-party domains on average have access to its SaaS assets. Without adequate SaaS data access controls, the originators often lose sight of assets shared externally, introducing an unacceptable level of risk.
  • Outdated Permissions – There are two manifestations of outdated permissions. The first is ongoing access to SaaS assets that are no longer supporting current business objectives. DoControl found 67 percent of all companies have employees with lingering access to assets stored in Google Workplace that are more than 5 years old. The second form of outdated permission is access that persists after employees have parted ways with their employer. Out of all companies, 31 percent have former employees who have accessed assets stored in SaaS applications after they have parted ways with their employer. Unsurprisingly, large companies tend to have more former employees with access (20 on average) than medium companies (slightly more than six on average), but even one former employee – especially a disgruntled one – can present an unacceptable risk.
  • Third-Party OAuth Applications – Applications often allow integrations with third parties to make workflows more efficient, convenient, or productive. However, third-party applications can also pose a threat to companies, especially when given unnecessary read-write permissions. Granting unnecessary read/write access to applications that may not have strong enough native security controls can open the door to data exfiltration and supply chain-based attacks. The major collaboration application companies often support numerous third-party application integrations. Unfortunately, it’s not uncommon for some of these third-party applications to be overprivileged. At large companies, Google has an average of 81 third-party application integrations. On average, 27 of those Google integrations have data access and nine are overprivileged.

DoControl helps avoid the devastating consequences of data exfiltration and leakage. Its unique approach to managing SaaS data access remediates any situations highlighted in the SaaS Security Threat Landscape Report by providing centralized, automated, granular data access controls over the SaaS applications in companies’ technology stacks. DoControl’s no-code, automated workflows help IT and security teams manage their SaaS data access so companies can move forward with SaaS deployments confidently, and in a secure manner.

To view more insights and begin your own enterprise audit across the five SaaS security benchmarks, download the full 2023 SaaS Security Threat Landscape Report.