SaaS applications are dominating the corporate landscape. Their increased use enables organizations to push the boundaries of technology and business. At the same time, these applications also pose a new security risk that security leaders need to address, since the existing security stack does not enable complete control or comprehensive monitoring of their usage.
LayerX has recently released a new guide, “Let There Be Light: Eliminating the Risk of Shadow SaaS” for security and IT teams, which addresses this gap. The guide explains the challenges of shadow SaaS, i.e., the use of unauthorized SaaS apps for work purposes, and suggests practices and controls that can mitigate them. The guide also compares various security controls that attempt to address this risk (CASB, SASE, Secure Browser Extension) and explains how each one operates and its efficacy. Consequently, the guide is a must-read for all security leaders at modern organizations. Here are the main highlights:
What’s the Risk?
According to LayerX, 65% of SaaS apps are not approved by IT and 80% of workers admit to using unapproved apps. This means that the majority of organizations are dealing with their corporate data being potentially exposed to external threats.
The three main risks posed to organizations are:
- Data Loss – Exposure of sensitive data through various SaaS apps. These include ChatGPT or other GenAI apps, spelling checkers, apps that help manage data files, etc. This leakage could be inadvertent through “innocent” apps. Alternatively, it could be the result of employees using maliciously created SaaS apps, intended to be used as a decoy and to lure employees to share sensitive data.
- Identity Theft and Account Takeover – Malicious access to corporate credentials. This happens when employees login to SaaS apps with their work emails and, usually, a recycled password, and attackers obtain this information.
- Compliance and Privacy Violations – Violation of privacy regulations due to the exposure of private and sensitive data across public channels.
Shadow SaaS Mitigation Guidelines
To address the risk of shadow SaaS, the guide introduces a three-pronged approach: App Discovery, User Monitoring, and Active Enforcement. Each aspect is dissected and explored, providing readers with a clear roadmap to effectively protect their systems and resources.
As a part of this exploration, the guide compares two options for shadow SaaS mitigation: the traditional Proxy approach and the Browser-based solution. Each approach is broken down into pros and cons, equipping readers with the information they need to decide which path best suits their organizational needs.
At a glance, here’s what the comparison boils down to (you can read the complete analysis in the guide:
| App Discovery | User Monitoring | Active Enforcement | |
| Proxy (SASE, CASB) | Y | N | Partial |
| Secure Browser Extension | Y | Y | Y |
Secure Browser Extensions
Ultimately, Secure Browser Extensions emerge as the most comprehensive and user-friendly solution for combating shadow SaaS. These extensions empower IT and security teams to regain control of their SaaS environment, while providing visibility and governance of SaaS app use. This ensures a secure yet flexible workspace.
Here’s how secure browser extensions work:
- Discovery of All SaaS Apps – The secure browser extension performs continuous analysis of browser sessions, showing IT teams which SaaS apps the workforce is accessing.
- Identity Security Posture Hardening – The secure browser extension can integrate with the cloud identity provider and act as an additional authentication factor. This prevents attackers with compromised credentials from accessing.
- Alerts on Critical Changes – The secure browser extension can also identify when a new user account is created. Then, an alert is triggered so the identity team can examine these apps and determine whether they align with the organization’s security policies or not.
- Governance and Control – The secure browser extension can block access to apps that are flagged as risky and block data upload from the user’s device to the risky app.
SaaS apps are easy to use and they benefit the organization’s operations. Security and IT teams who aspire to be business enablers need to find ways to allow the use of SaaS apps, while ensuring protection of corporate environments. A secure browser extension is the solution that can provide both. To learn more, read the complete guide.
