Two Speeding Trains: The SaaS Race and Securing Unstructured Data
Remember that age-old SAT question: “if two speeding trains are heading in the opposite directions at different speeds on the same track, how long will it take for them to collide?” In many ways, this feels like the reality of enterprise IT today when it comes to SaaS application adoption. The use of SaaS applications continues to speed up, but the ability for companies to protect all of that data can’t keep up with the pace.
On average, there are 3 to 4 times more SaaS apps in use at a company than the IT department is aware of, and it’s estimated that by 2022, 90% of enterprises will rely on SaaS apps to execute business objectives. It’s the lack of visibility into SaaS apps that’s the issue, coupled with who has access to both the apps and the sensitive data within, that really highlight the gaping holes in a company’s security posture.
Oftentimes, organizations are not extending their identity security policies to include both the access their workforce has to SaaS apps and the data stored in those apps. While SaaS applications house large volumes of structured and unstructured data, it is the unstructured data that gives companies the biggest headache. That’s why unstructured data is a leading contributor to the rise in security compromises, eventually leading to a train wreck of massive proportions.
To better understand the state of unstructured data and surrounding security practices, we recently conducted a survey with Dimensional Research. We found more than 9 out of 10 companies are in the process of moving their unstructured data to the cloud. Furthermore, approximately 76% of companies have encountered challenges with protecting unstructured data, including unauthorized access, data loss, compliance fines, and more.
Nearly every company surveyed reported managing access to unstructured data was difficult, citing numerous challenges such as a lack of a single access solution for multiple repositories, too much data, and lack of visibility (into access, where data lives, who owns it, etc.). Additionally, more than 4 out of 10 companies admitted they don’t know where all of their unstructured data is stored.
Given these numbers, it is unsurprising that a Canalys report found companies are spending record sums on cybersecurity to protect the rapid digital transformation we’ve experienced over the last year. Yet, the number of successful attacks continues to be higher than ever. Specifically, Canalys reported that “more records were compromised in just 12 months than in the previous 15 years combined.”
It is easy to connect the dots between these findings and the rise in cloud adoption, the unstructured data that resides in the apps and systems in the cloud, and IT’s attempts at securing this monster network of information. Our survey also found more than a quarter of companies fail to perform regular reviews of user access privileges. What’s more, one-third of companies lack real-time alerting when unauthorized access occurs with unstructured data.
The encouraging part is that by extending identity security at the implementation stage to manage data access, many processes can also be automated to expedite access certifications and feed information to your identity solution. When IT has all the information of an organization’s users and their access – to both applications and data – they have the power to quickly make the right decisions in the event of a data breach.
As a former CISO, I know how hard it is to keep a watchful eye over a companies’ entire digital ecosystem, especially given the rapid acceleration of cloud adoption and pivot towards SaaS structures. This security pain point is something SailPoint understands well and why we recently took steps to ensure we can continue to help our customers mitigate risk – now and in the future with our acquisition of Intello.
Good leaders know that their people come first, but the data that drives their business is a close second. Many IT leaders I talk to struggle with securing unstructured data – or worse, are not considering it as part of their overall approach to identity security, which is a huge miss. I think some of this concern might fall to the wayside if we smartly align our security practices to the trends predicted and stop these racing trains before they collide.