SaaS Shadow IT

The use of software as a service (SaaS) is experiencing rapid growth and shows no signs of slowing down. Its decentralized and easy-to-use nature is beneficial for increasing employee productivity, but it also poses many security and IT challenges. Keeping track of all the SaaS applications that have been granted access to an organization's data is a difficult task. Understanding the risks that SaaS applications pose is just as important, but it can be challenging to secure what cannot be seen.

Many organizations have implemented access management solutions, but these are limited in visibility to only pre-approved applications. The average medium-sized organization has hundreds, and sometimes thousands, of SaaS applications that have been adopted by employees who needed a quick and easy solution or found a free version, completely bypassing IT and security. This leads to a significant risk as many of these applications do not have the necessary security and/or compliance standards and yet, they have permissions into the organization.

Wing Security recently announced that it is making its SaaS application discovery engine available as a free, self-service product. The tool is designed to help companies identify risky SaaS applications that have been adopted by employees without following company policy.

Democratizing SaaS Discovery

The risks associated with SaaS Shadow IT have become more prevalent in recent years due to the widespread use of SaaS within organizations. However, many of the security solutions that were available in the past focused on making security teams aware of the problem, rather than providing in-product or automated remediation capabilities. Indeed, the first step in addressing SaaS-related risks is to have a clear understanding of the SaaS stack in use within the organization. This information should be easily accessible and just as simple to navigate as the SaaS applications themselves.

To help security teams gain proper visibility and understanding of the risks associated with the growing use of SaaS, Wing Security (Wing) has decided to offer its SaaS Discovery tool as a free, self-service product, as can be seen here. The company aims to provide security teams with a comprehensive view and better understanding of the SaaS applications used within their organization, regardless of their size or the size of their budget.

What is included in the Wing Security Free edition?

  • Quick and easy self onboarding.
  • Friendly dashboard view of the SaaS applications being used within the organization, 3rd party applications included.
  • Risky applications are flagged within the system
  • Details of which compliances each SaaS application meets, how they're connected to the organization, the permissions they've been granted, and which users are using them (for the first 100 applications).
  • Wing Security's reputation score for each SaaS application expressed as "shields" with 0 to 3 shields.
  • Classification and tagging options.
Wing Security Free edition.
Wing Security Free edition.

Non-Intrusive Discovery: No agent, no proxy

Understanding that modern security solutions should not be intrusive in any way is at the core of Wing Security's new offering. To map out an organization's use of SaaS applications, Wing connects to major, IT-approved SaaS applications using APIs. These are applications that are commonly used in almost every environment, such as Google, Office 365, Salesforce, GitHub, and Slack, to name a few.

Wing is then able to map out all the SaaS applications that are connected to these applications and the ones connected to them. SaaS applications are interconnected in a giant mesh, creating a "shadow network" of connections. This shadow network is used by Wing to map out applications, but it can also be a security concern as it can be used for lateral movement within the organization. In its full enterprise offering, Wing also maps out all the users who use these applications, the data that resides in and between these applications, and provides near-real-time security alerts when an application in use is compromised.

SaaS Shadow IT
Wing Security 'Connects' to SaaS applications through APIs

What's required from the users?

Keeping in tune with Wing Security's non-intrusive Discovery, the Wing Security Free edition requires very basic permissions which can be granted by the organization's super admin.

Most of the required permissions are read-only. There is one permission within Google that requires a 'manage' access, asked in order for Wing to provide visibility into the tokens that users issued to 3rd party apps. Wing Security mentions on the relevant product page that keeping the customers' data safe is a priority and provides the compliances they have in place for data security.

SaaS Shadow IT

What counts as 'SaaS'?

While the term SaaS traditionally stood for Software as a Service, not all SaaS these days is always paid for as use of the word 'Service' might imply. There are 3 types of common SaaS used these days:

  • Widely used enterprise SaaS such as Stack, Dropbox, Google, Microsoft, that mainly consist of paid users.
  • Niche-use, somewhat lesser known SaaS that target specific industries, such as Figma or Canva for design, Outreach for sales, Github for engineers. Wing for SaaS Security. These SaaS users can include both paid and non-paid users.
  • Completely free apps used by individuals, probably without anyone else knowing about it. Also includes apps that were signed up for their free trials and forgotten about for whatever reason.

While these are the 3 main types of SaaS applications, they are more like markers on a spectrum. SaaS applications regularly move up and down this spectrum as the companies grow and evolve. But as long as these applications are logged into using the organization's email, they'll be discovered by Wing Security Free Discovery.

What is further available with Wing Security's paid version?

Wing Security's paid version is called the Wing Security Enterprise edition, which includes everything from the Free edition, as well as:

  • Deeper SaaS discovery which includes discovery of all browser extensions and any kind of locally installed or in-house developed SaaS applications
  • Monitoring for any sensitive data being shared on SaaS applications. For example: AWS keys shared on public slack channels.
  • Manage user related risks such as excessive permissions, user inconsistencies, or abnormal usage.
  • Real-time threat intelligence alerts and actionable updates in the event any SaaS apps being used within the organization are party to a breach or cyberattack.
  • Remediation tools. Many of the issues discovered by Wing Security can be resolved with just a few clicks within Wing's easy-to-use interface, without having to deal with solving it manually.
  • Built-in Automation tools. Some SaaS security issues can be wide reaching, with thousands of instances of the same issue repeatedly found. Manually attempting to fix the issue could take years! Wing's built-in automation tools make it possible to solve such cases in minutes, with just a few clicks. With long term protection activated by setting up a policy which Wing Security then helps invoke, as new instances of the same issue are likely to appear again in the future.
  • End-user engagement. A nice added detail within the Wing interface is that the automation can be set up to include keeping the end users in the loop. Either by simply informing them of the issue and how it was fixed, or by letting them click 'Approve' to let the issue be solved by the automation. In the event users ignore or miss the message, a default is in place to automatically 'Approve' the task after a set amount of time.

In summary, Wing Security's new tool addresses the growing use of SaaS and the security and IT challenges it poses, by tracking the SaaS applications that have been granted access to an organization's data. The free edition includes a quick and easy self-onboarding process, a friendly dashboard view of the SaaS applications in use, risky applications notice, compliance and permissions information, and a reputation score for each application. The tool uses a non-intrusive method, connecting to major IT-approved SaaS applications using APIs, to map out an organization's use of SaaS applications without causing any disruption.

For more information on Wing Security's new Free SaaS Discovery solution, click here.


Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.