Nearly half of software-as-a-service data is exposed and unmanaged

Basically, anyone with a private or public link can expose SaaS data to thousands of external collaborators.
30 August 2021

Report says 40% of SaaS data is being exposed and unmanaged. (Photo by Manjunath Kiran / AFP)

  • The threat of unchecked and unmanaged data access is growing exponentially, with enterprises’ increasing reliance on software-as-a-service solutions 
  • The SaaS-based attack surface is a “significant threat that is often underestimated” by IT leaders 

The reliance on software-as-a-service (SaaS) is growing exponentially by the day, enhancing the way we work and collaborate. Inevitably, it brings about a host of new security challenges that place cloud access controls and business-critical data at risk. A recent report highlighted that close to half of SaaS data is unmanaged, a wake-up call to CIOs and CISOs and the enterprises they serve and protect.

The report by DoControl, an automated data access controls platform for SaaS applications, revealed that up to 40% of SaaS data access is ‘unmanaged’ — which means that anyone with a private or public link can expose SaaS data to thousands of external collaborators who may or may not be allowed access.

Evidently, it poses a significant risk to organizations that house that data and exponentially increases the likelihood of a data breach. The most surprising takeaway from the report — which is based on aggregated, anonymized US customer data — is that companies are unaware of how much data access is still afforded to former employees, former vendors, and former partners.

Co-founder and CEO Adam Gavish said “The past year forced many organizations to collaborate with many external parties and adjust their existing workforce to support remote collaboration. To date, security practitioners have focused on enabling SaaS access in a secure manner, but now is the time to prioritize the relevancy of this data access internally and externally.”

The risk of software-as-a-service data

DoControl highlighted that the risk posed by unmanageable SaaS data access is no isolated or trivial problem: “43% of data breaches analyzed in 2020 were attributable to web application vulnerabilities. While it may come as a surprise that nearly half of all data breaches can be traced back to SaaS applications, given the growing reliance on SaaS applications to promote business enablement, it makes sense that this is such a huge area of threat,” the report noted.

The report findings also illustrate that, on average, a 1,000-person company stores between 500,000 to 10 million assets in SaaS applications, and companies with unmanaged data may be allowing up to 200,000 of these assets to be shared publicly. DoControl aggregated and analyzed the data from the report and sorted the findings into internal and external threats.

When it comes to insider threats, an average of 400 encryption keys and 20% of SaaS assets are shared internally to anyone with a link, exposing many employees to data points that they are not authorized to view. With regard to external threats, between 1,000-15,000 external collaborators and 200-3000 third-party companies have access to company assets, and 18% of SaaS application assets that are shared externally remain accessible even after removing users.

Software-as-a-service, 40% of SaaS data is being exposed and unmanaged

DoControl has aggregated and analyzed myriad data from its own customer base. Here’s the magnitude of SaaS exposure we’re seeing. Source: DoControl

Global software-as-a-service revenue is expected to grow exponentially, by nearly 38% to more than US$140 billion between 2019 and 2022, according to Gartner. Accompanying that rise is the threat of associated data leaks “growing exponentially,” DoControl says. While cloud-based software can increase efficiency, collaboration and productivity throughout an enterprise, DoControl believes the growing SaaS-based attack surface is a “significant threat that is often underestimated” by IT leaders in organizations. 

The report concluded that while “the business world continues to allocate billions of dollars each year to investing in SaaS applications and application security, your SaaS data access exposure may be much larger than you realize, and it’s only going to continue growing. Understanding your company’s S-DEP measures is the first critical step to lowering your overall SaaS data access risk.”