SaaS Ecosystem Complexity Ratcheting Up Risk of Insider Threats

Even with common security platforms like CASBs, organizations struggle to deal with the volume of apps and accounts that interact with business-critical data.

The pressure of increasing software-as-a-service (SaaS) deployments in the enterprise and the complexity of administering accounts across a varied cloud environment is ratcheting up the risk of insider threats. A new study out this week shows IT and cybersecurity professionals are struggling to stem the tide of negligent and malicious insider incidents in this era of pervasive cloud sharing, even when they use common security tools like cloud access security brokers (CASBs).
And while maintaining privacy of customers personally identifiable information still remains a concern, the greater bulk of cloud-based insider risk revolves around business-critical data. So says the
2019 State of Insider Threats in the Digital Workplace
report, released Wednesday by BetterCloud, which shows almost half of IT leaders believe the rise of SaaS makes them most vulnerable to insider threats today.
Based on a survey of approximately 500 IT and cybersecurity professionals, along with internal security data at more than 2,000 organizations, the report finds 92% of organizations with more than a quarter of their mission-critical apps in the cloud feel vulnerable to insider threats. Of those SaaS vectors that open them up to insider issues, respondents overwhelmingly name cloud storage and email as the biggest challenges — 75% report these to be the breeding ground of the biggest insider threat risks.
Some of the biggest challenges organizations face when it comes to securing data and applications in SaaS ecosystem is the sheer volume and dynamic nature of applications and account connections in play. Another recent report, the
2019 Annual SaaS Trends Report
, by Blissfully, examines SaaS trends across nearly 1,000 companies and finds overall SaaS spending increased by 78% last year.
At this point, companies now spend more on SaaS than they do on equipping employees with laptops. But, unlike laptops, SaaS vendors can be switched out with very little friction, which means the makeup of any given companys SaaS stack is always in flux. The typical midsize company has seen 39% of its SaaS stack change in the last year, according to the SaaS report. Whats more, for every new SaaS app added or changed in an organizations ecosystem, the headache around managing account connections multiplies.
Take the typical organization with 200 to 501 employees. This kind of company uses an average of 123 SaaS apps, according to Blissfully. It sounds manageable, but across those the typical company of that size must keep tabs on an average of 2,700 app-to-person connections. That doesnt even account for the app-to-app connections that start to come into play when SaaS apps are integrated through APIs.
This pervasiveness and complexity is why so many larger organizations still struggle so mightily to take control over how users interact with and share data in SaaS apps today. After all, SaaS security is hardly a new topic — security strategists have been warning about data security in SaaS for a decade now. While the rise of the CASB has helped many organizations mitigate a lot of their SaaS security risks compared with the early days, this latest insider threat report shows 95% of stakeholders at companies that use a CASB still feel vulnerable to insider threats. The reasons cited for why include the escalating freedom of SaaS users that enable unchecked decentralization of SaaS, blind spots in SaaS security created by new interactions between apps, and the growing complexity of managing configurations and file permissions.
Plus, whereas in the past cloud and SaaS security was usually a compliance or regulatory concern, BetterClouds insider threat report shows that 57% of organizations say insider cloud risks are highest around data fundamental to the existential viability of the business. This includes confidential business information and intellectual property.
According to other recent reports, the pressure is only going to increase. Last month a
joint report from Oracle and KPMG
found almost half of IT and cybersecurity professionals expect to store the majority of their data in the cloud by 2020. In addition, 92% of organizations said they are concerned about employees following cloud policies to protect that data, and 82% are still so unclear about the shared responsibility model of security that theyve experienced a security event as a result.
Related Content:
Your Employees Want to Learn. How Should You Teach Them?
Debunking 5 Myths About Zero Trust Security
Its Time to Rethink Your Vendor Questionnaire
Care and Feeding of Your SIEM

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SaaS Ecosystem Complexity Ratcheting Up Risk of Insider Threats