Maintaining visibility of data access in today’s world of proliferating Software-as-a-Service (SaaS) applications is a bit like taking a group of toddlers to the funhouse hall of mirrors. You thought it would a manageable situation, but pretty soon you’ve lost track of half the kids and frantically go search for them, fearing you’ll never see them again.
SaaS Data Access Chaos
Managing data access is fairly straightforward in a traditional on-premises environment. Each application or file storage system allows granular data access privileges. You develop an Access Control List (ACL) and map it to your user directory. You can provision or de-provision access to data as you want. SaaS is an entirely different situation.
SaaS applications, along with cloud data repositories, present a range of data access challenges. The primary problem is one of visibility. An administrator has to go into a SaaS app to figure out who is accessing it. SaaS also typically allows for external users, so a contractor or vendor could have access to corporate data without a coherent way of tracking that access.
It’s a recipe for chaos. With organizations of over 1,000 employees using an average of 177 SaaS applications, it is effectively impossible to know who has access to a given data set. Those responsible for data security and privacy cannot, in practical terms, keep track of how widely an application has made its data available, and for how long.
Such data access chaos can have an impact on the business. At a minimum, it’s not optimal for operations. Employees may not know where they can securely store files and records. Nor will it be clear whom to ask for data access. It’s also insecure, with data vulnerable to unauthorized access.
Access Control is Difficult in SaaS
SaaS data access control is difficult. Each application provider has its own internal data access controls. Security and privacy stakeholders must learn how each SaaS app handles its controls. Considering that a company could have a couple of hundred SaaS apps, then someone (or group) has to master a lot of different access rules. It takes expertise. Managing access will also inevitably involve time-consuming manual processes.
Individual employees will have to request access to SaaS apps. Then, someone has to go through the manual process of provisioning that access. This is already inefficient, but the real issues come with tracking access privileges and de-provisioning them when an employee leaves the company or changes role. And, because SaaS access is browser-based and not dependent on the presence on the corporate network, there is a significant insider risk. A former employee, perhaps unhappy with the company, could easily log into a SaaS app from home and access all sorts of private information.
How to Handle SaaS Data Access Chaos
Best practices are emerging to help businesses get on top of SaaS data access chaos. One proven approach is to concentrate on high-impact data. This is where visibility into access is critical. For example, SaaS- or cloud-based data that contains proprietary corporate information or intellectual property (IP), or personally identifiable information (PII), should get the highest priority for access control. Not all data will fall into this category. A cloud drive containing marketing decks, for instance, should not be considered high-impact. From there, it’s a matter of understanding who has access, if they are internal or external—and remediating any incorrect or obsolete provisioning.
Lee Kappon is a data security expert and was listed on Forbes’ 30under30 list. She is the CEO & Co-Founder of Suridata, a startup company that is developing the next-generation data protection solution.
Forbes Israel Contributors are independent writers that were individually picked by Forbes staff. The writers are experts in their field and they provide professional commentary and analysis of current events. The content is unsponsored