With widespread adoption of SaaS, is data security becoming a matter of concern?

While its security ramifications can be alarming, the pandemic paved the way for rapid cloud adoption,which further acted as a catalyst for the SaaS space to grow rapidly -

As companies continue to explore new ways to reduce costs and retain talent, the use of Software-as-a-Service (SaaS) based services has steadily increased in recent years. With remote and hybrid work models becoming a mainstay, the pandemic has further accelerated its growth across most industries.

“SaaS emerged as early as the early computers of the 1960s.” explains Kushal Varshney, CTO – Virescent Infrastructure.“During the pre-pandemic times, businesses were using SaaS applications, but the pandemic only accelerated its adoption. With organizations advancing on their digital transformation journey, the adoption of SaaS services is going to be even more rapid after the pandemic.”

Taking the HR industry as an example, Chayan Mukhopadhyay- Co-Founder and CEO of Qandle states that according to ISG’s 2021 Survey on Industry Trends, 46% of HR organizations used either SaaS or hybrid solutions in 2020, which has gone up by 26% compared to 2018. “This is also higher than what was predicted in ISG’s 2019 survey (41%). Further, 57% of organizations expect to use a SaaS or a hybrid solution by 2023,” he says.

“The best part is SaaS products are not heavy on pockets and doesn’t require development or training cost. They are ready to use software, with a simple drag and drop, easy to use UI, which almost any and every one can just sign up and start using the services,” opines Sarvagya Mishra, Co-Founder, SuperBot.

With most of the OEMs discontinuing or discouraging old perpetual software license models, SaaS or the subscription model has been getting the much needed push.

Is the SaaS model running the risk of Shadow IT?

When it comes to SaaS-based cloud services, the major security concerns which arise are data security and its leakage. Misconfigurations, access management, regulatory compliance, data storage, data retention, privacy and data breaches, are among some of the major SaaS security risks involved.

“In general if a company is following the standard industry level of data security protocols, the chances of a security breach or data leakage are very minimal. But even after following these protocols, there are grey areas which are at times misused by the breachers,” cautions Sarvagya.

The data centres offering cloud services are usually owned by a third-party provider and even though the ownership of data is with the company, they cannot possibly go and put any additional firewall or security layer to make the services more secure. It therefore becomes important for a SaaS provider using cloud services to maintain all the required industry protocols including the level of encryption required, regular analysis, etc. to maintain data security.

“It also becomes important for the customers to check where all the data gets stored, if the SaaS provider has any security certifications, and does the SaaS provider allow the clients to have any control over the location of data stored?”, opines Charan. “Moreover it is essential to know, for how long the SaaS environment retains the sensitive information the clients enter into the system.”

At a time when a hybrid working model is prevalent, there will be many such SaaS applications and software which will be bought by individual employees without the knowledge of the IT department. The SaaS model therefore also runs the risk of increasingly contributing to what is commonly known as Shadow IT.

“When the IT department loses control over the SaaS applications deployed, the entire company's data becomes vulnerable. Tech leaders need to keep an eye on shadow IT and it should be monitored at Board level, as the risk of using such software is that it can have cybersecurity flaws and lead to various incidents like sensitive data exposure, lack of control, unpatched vulnerabilities, compliance issues, inefficiencies, financial risks,” cautions Kushal.

He further comes up with an all-round approach every IT leader need to deal while addressing shadow IT -

· “Define major risks posed by shadow IT and address them: With appropriate discovery tools, web filtering, DLP (Data Leakage Prevention), Application control and Security solutions (SASE, MDM), this can be controlled (Prevented and monitored). Also, monitor your network and employee activity.

· Employee awareness as well as Vendor-Customer) awareness is very important: Educate them on the possible consequences of using untrusted software. Provide better tools and more user friendly systems to the users which are convenient and secured.

· Encourage employees to be transparent about what software they use - First, this will help detect the use of risky solutions. Second, new tools adopted by your employees may turn out to be more efficient than your standard software.”