SaaS Security for Enterprise IT

August 12, 2022

DevOps Experience 2022

August 12, 2022

The move from shadow computing to enterprise-led computing is a paradigm shift for security.

The Shadow IT has a new name. Welcome to the world of business-driven computing – it’s officially a thing. According to the Gartner, Inc. webinar (registration required), nearly 80% of organizations reported high value from business-led IT, characterized by business teams identifying and sourcing technology, especially software in as a service (SaaS).

At first glance, it may seem like organizations are responding to the Covid-19 pandemic with requests to work from home. Looking closer, however, we see how the pandemic has only accelerated a path we were already on. Organizations have fragmented enterprise-led SaaS through exception management and task forces, spin-off digital initiatives, and finally punctuated by the inauguration of modern work.

What does this mean for security? The trend to shift from shadow computing to enterprise-led computing is a paradigm shift for security, replacing the impulse to find and destroy “rogue” applications with a deliberate approach to protecting their digital organizations. , from law enforcement to security engineering. This requires unifying the global SaaS attack surface and applying universal identity-centric protections to fit today’s SaaS and the SaaS that has yet to be adopted – the core and business-led computing, sanctioned and unsanctioned, protected and unprotected.

Today, business-driven computing has become an end in itself: it accelerates business activities from tactics to strategy. Let’s break down the transition from shadow IT to enterprise-directed IT in numbers and explore the implications of securing the SaaS attack surface.

• Gartner found that up to 36%

If we follow the money, in 2020 nearly four out of every 10 tech dollars will be spent outside of IT. Clearly, organizations find it acceptable for corporate groups to find, source and support their own technology, especially knowledge workers in highly skilled positions, which have been overwhelmed in recent years.

For security leaders, the trend away from shadow computing towards enterprise-led computing is a tectonic shift, removing the impulse to find, prevent, block and restrict and, instead, taking a conscious and deliberate approach to applying security to SaaS wherever it is adopted. .

• According to the Gartner webinar, 76%

For security managers, this means providing security “as a service” to the organization, especially for enterprise-led SaaS. For example, this can include giving users strong, auto-generated passwords that are protected and instantly integrated into a single sign-on (SSO) experience. The key is to achieve this without directly managing the SaaS application but by extending the standard protections during its creation.

• According to KPMG, by 2031 the business side of the SaaS attack surface will be four times larger (80/20) than the heart of IT, managed SaaS. Applications managed through a business-led strategy will rise to 85%, surpassing and vastly outnumbering basic IT SaaS.

For security managers, this means delivering security outcomes, not security control. The standard playbook called for solutions to curb the growth of SaaS (CASB) and restrict access (IAM), but the playbook clearly failed. If the playbook had worked, then the playbook would have worked. It’s time to rethink what it means to deliver safe results when the imbalance is fully realized and what was once ‘shadow’ is now just ‘standard practice’.

The rising tide of enterprise-led SaaS is creating new demands and challenges for security teams, and existing solutions are simply not suited to the character of security in the age of enterprise-led IT. and modern work.

According to SSO Tax, the average license uplift for SSO-enabled editions of popular enterprise-led SaaS was 315%. Additionally, applying single sign-on to every SaaS application (including enterprise-led SaaS) is often too difficult to achieve in practice due to the overwhelming scope of cloud applications and services – with a report Netskope 2019 (download required) finding that “Enterprises have an average of 1,295 cloud services in use.

Here we find one of those rare instances of a known and intact security flaw, not out of fatalism, but out of the inability to achieve secure access to all enterprise-run applications on the SaaS attack surface. Why is that?

First, it is impractical because the SaaS attack surface is simply too diverse and large to achieve secure access to anything, especially enterprise-driven IT SaaS. Second, deploying something like Okta for single sign-on (SSO) to all your business apps is impractical because it’s far too expensive to both license SSO-enabled accounts and


Every organization is different, but one thing is certain: enterprise-led SaaS grows, scales, and adapts without thinking about security, powered by modern work strategies. This is what leads to the inordinate share of rogue and unprotected SaaS applications that outnumber and outnumber domesticated applications sanctioned and protected by IT processes and security tools such as SSO and CASB.

For the wild herd of enterprise-led SaaS, a new order is in order, one that unifies SaaS security to protect enterprise-led SaaS with as much tenacity as basic IT SaaS, but without interference. Reimagine the role of security, from law enforcement to security engineer with a mandate to ensure SaaS security for everyone, everywhere, all the time.

This article originally appeared in Forbes, an American business magazine that features articles on finance, industry, investing, and marketing.

Oops! An error occurred while submitting the form.

Oops! An error occurred while submitting the form.

Comments are closed.