Three A’s of SaaS adoption, and why every company goes through them

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

I’ve noticed that as more and more companies turn to SaaS applications to power their business, they all experience the same journey along the way, more or less. Everyone goes through what I call “the 3 A’s of SaaS adoption”: aggravation, acceptance, and adoption.

Companies go through distinct stages of SaaS adoption. As your SaaS environment matures, needs shift and challenges evolve. But if you know what to expect at each stage and what’s coming around the corner, you can better prepare for it. You can mitigate security risks by cutting them off at the pass.

Here’s a glimpse into the key challenges every company encounters as they adopt SaaS, why they occur, and how to solve them.

Stage One: Aggravation

The nature of work is changing. Users want to bring their own devices and use SaaS apps at work. They want to use the same collaboration tools they used at home and access their information from anywhere. But if you’re reluctant to allow this, you’re in stage one.

At this point, you might feel annoyed — even aggravated — by the idea of SaaS apps. Increased productivity is great, but it’d also mean a loss of governance and control over your data. It’s common for IT to either implement prohibitively strict security measures or outright ban the use of SaaS apps and employee-owned devices.

The challenge for IT

But this approach isn’t practical. Sooner or later, employees will go rogue and take matters in their own hands. They will circumvent IT restrictions and find workarounds by purchasing and deploying SaaS apps by themselves, resulting in risky shadow IT. The key challenge for IT during this stage will be visibility into shadow IT—i.e., knowing who is using what.

How to solve this challenge

CASBs like Skyhigh (now McAfee), Netskope, Elastica (now Symantec), CipherCloud, and Palo Alto Networks’ Aperture came on the scene to address this problem. These products show all shadow and IT-sanctioned apps being used by an org, giving IT visibility into who is using what. They have since soared in popularity. In 2017, Gartner released its first-ever Magic Quadrant for CASBs, and there has been a spate of CASB acquisitions in recent years (Cloudlock by Cisco, Adallom by Microsoft, Blue Coat by Symantec, and Palerra by Oracle).

Stage Two: Acceptance

In stage two, you’ve accepted the fact that employees want to use the best applications available to them. The IT department starts purchasing, sanctioning, securing, and deploying core SaaS apps for their organizations.

In this phase, a whole new (and narrower) set of challenges will emerge.

The challenge for IT

Shadow IT will no longer be the problem. The problem will be getting visibility into identity and access—i.e., knowing who has access to which apps—given that SaaS apps house sensitive, critical data.

In legacy environments, Active Directory took care of this challenge. But in SaaS environments, how does IT administer SaaS credentials to users? Which employees have access to sensitive information? Is this usage compliant with corporate and regulatory policies?

You’ll realize that you need a way to control access to the SaaS apps you’ve recently deployed.

How to solve this challenge

IDaaS vendors like Okta, Ping Identity, OneLogin, Microsoft’s Azure Active Directory, and Centrify emerged to address this requirement. IDaaS products, which include SSO, MFA, and directory services, provide one set of credentials to access multiple cloud accounts. This solves the access challenge: Users can only access the cloud apps permitted by the group they belong to. The demand for IDaaS has risen in recent years. In June 2014, Gartner published its first Identity-as-a-Service (IDaaS) Magic Quadrant. They revamped it in 2017, creating the first-ever Magic Quadrant for Access Management. Google also acquired Bitium the same year. Okta has been a huge success story as well. It went public in 2017 and since then, its stock price has increased 130%.

Stage three: Adoption

Over time, as SaaS apps gain widespread adoption, they will become deeply entrenched in your business. They will become the system of record for critical data. You’ve now entered stage three: adoption. By this stage, shadow IT is under control. Identity and access are secured.

The challenge for IT

Now there will be a brand new (and even narrower) challenge: figuring out what people are doing inside these SaaS apps.

New security questions—questions that IT never had to think about before—will pop up. Are people sharing any sensitive files or folders publicly? Who has access to which files? Are users forwarding corporate email to personal Gmail accounts or making distribution lists public on the internet? Any of these actions could mean data breaches or compliance violations.

Are users suspiciously mass downloading files, or installing risky third-party apps or bots? Who has super admin access across SaaS apps? If two SaaS apps are integrated, data will live in multiple places. Is any of it exposed?

Why it’s a big challenge

This third stage is the most difficult one for because IT cannot answer those questions easily. They have no visibility into these areas. But they have to get visibility soon, because these exact security issues are making their way into the headlines now.

To be clear, these security incidents aren’t caused by IT incompetence or flawed apps. They’re caused by simple oversights and app misconfigurations. Privacy settings can be highly complicated, and while they can be misconfigured on purpose for nefarious reasons, many times it’s done unintentionally. In June, security researchers found that as many as 10,000 businesses were affected by a widespread misconfiguration in Google Groups settings, resulting in exposure of corporate data. The researchers attributed the accidental exposure to “complexity in terminology” and “organization-wide vs. group-specific permissions.”

How to solve this challenge

You couldn’t really solve this problem … until recently.

Just this year, 451 Research recognized the rise of a new IT market category: SaaS Operations Management (SOM). SOM consists of first defining acceptable use policies for SaaS apps and then using a platform to execute those policies—essentially being able to create, enforce, and optimize everyday usage policies for mission critical SaaS applications. This type of solution is emerging only now because it took time for these SaaS risks to become apparent. It took years of widespread use and adoption for these security threats to come to light.

I’ve always said SaaS is a double-edged sword, and it’s becoming very apparent now. The greatest benefits of SaaS apps—the freedom to share documents and collaborate with others—is also its greatest security risk.

Why the future of security is API-based

As I’ve described above, entire market categories have been created just to solve major IT challenges in the first two stages of SaaS adoption.

But we’re in the third (and most mature) stage right now. These challenges are only being addressed now, and IT needs to pay attention to them. Whether it’s intentional or not, people are doing risky things in SaaS apps under the radar. And IT has no idea it’s happening, because they don’t have the tools to get visibility into that kind of activity.

Take the Uber vs. Waymo trade secrets case for example. The head of Uber’s self-driving car project, an ex-Googler, downloaded 50,000 Google work e-mails in 2014 and stole 14,000 files with confidential and proprietary data just before he left Google. And nobody knew about it.

This real-life example highlights why having only security around networks, identity, and access is not sufficient. You need to go deeper.

This approach is about detection and remediation at an operational day-to-day level. You need to monitor for granular behaviors like sharing data publicly, downloading files in bulk, and forwarding corporate email to personal accounts. To have a strong SaaS security posture, you need to see entitlements, configurations, user activity, privacy settings, etc. And the only way to do this is through APIs.

People are using SaaS apps from anywhere they’d like. You can’t follow a network or device, so the only way to secure SaaS apps is to be in them via APIs. You have to follow the user activity and their data, because you can only only monitor and secure what you can see.

Which stage are you at now?

These three stages of adoption are universal for all modern workplaces shifting to SaaS. If you haven’t experienced each stage yet, you will eventually. It’s only a matter of time. But if you know which security threats to expect in your SaaS environment, you’ll be much better equipped to mitigate them — or avoid them altogether.