Avalanche or 'Appalanche': Who Should Really Own SaaS App Admin Management?
Across all companies, it’s estimated that 40% of all SaaS apps are managed and owned by non-security teams.
This story is part of Security Essentials, the IT Vault’s practical advice for getting the most out of your security team.
For many businesses, tech stacks are growing like crazy. It feels like new apps pop up every day, and, after a while, we start to wonder how we ever successfully operated our companies without our favorite SaaS tools. According to Productiv, the average SaaS portfolio contains 254 apps, and that number is growing!
Deciding to try a new app is easy, but figuring out who is going to manage the security and accounts in each new app is a piece of the puzzle that is often overlooked. If you’re not careful, your once well-managed SaaS app stack will feel less like a group of helpful tools and, instead, will start to feel like an avalanche, causing distress and leaving destruction in its path.
Problems arise when each team’s apps are managed separately and no common oversight or security strategy exists.
Whether we’re talking about cloud data platforms and collaboration apps or project management and marketing automation tools, each team in your company relies on a set of apps that increases productivity and output.
Problems arise when each team’s apps are managed separately and no common oversight or security strategy exists. If your business is growing, your tech stack probably is too, but is your SaaS app management strategy growing with it? Chances are, your strategy is outdated. In many businesses, no one really knows who is in charge of managing the security and access of their apps until a problem arises and fingers start to point.
Remember the game of hot potato you played with your friends as a kid? It’s kind of like that. Similar to how you don’t want to be the one holding the potato when the timer goes off or the music stops, nobody wants to be the person in charge of a SaaS app stack when a problem comes up or security is breached.
So, who’s playing this game of hot potato?
There are probably many people quickly and frantically passing the SaaS potato back and forth in your company in an attempt to avoid being the one responsible for inevitable security issues. Typically, the players include app admins in various business departments, IT admins, and security teams.
While each of these players has an important role, mismanaged roles can cause difficult and dangerous security issues for your company. Further, sometimes these roles can overlap causing stress and burnout…especially within smaller companies. Here’s how each of these players might be impacting your company’s SaaS app integrations and management:
01. App Admins
The role of an app admin can be different depending on the company or organizational layout. Sometimes the app admin is an owner of a specific app(s), or oversees a specific team or department’s tech stack. When a team member is hired or someone changes roles, app admins typically decide who needs access to which apps. They also likely decide which permissions each employee needs in each of their apps.
When app admins are caught in a game of SaaS app monitoring hot potato, they may make permission and access decisions based more on ease of accessibility and less on SaaS app security policy considerations. They might overprovision access in an attempt to avoid future access roadblocks, and, since security isn’t always top of mind, they may lack management of who has access to which apps. This makes things extremely difficult to track when it comes time for an IT security audit or a security issue arises.
02. IT Admins
The role of an IT admin is to make sure the internal IT structure of your business remains up-to-date by overseeing system and server upkeep and configuration. This often includes administering access to apps after app admins make access requests for their team members.
When IT admins get caught in a game of SaaS app admin hot potato, they are taken away from their important job of overseeing the internal IT structure and focusing on more strategic initiatives. With more and more companies allowing remote and hybrid work arrangements, the job of an IT professional is getting increasingly more demanding and time consuming, leaving them with even less time to focus on SaaS security concerns.
03. Security Team
The role of a security team is pretty obvious; to help keep the company’s sensitive data and servers secure. This includes developing the company’s security protocol, working to avoid known risks, and putting out security fires if they happen to arise. It also often includes SaaS app monitoring and SaaS app group policy control.
When the security team is caught in a game of SaaS app administration hot potato, they will likely find themselves missing obvious security threats because they have not been informed of the movements made in app management. They will likely have no way to view all of the security data they need and will be stuck chasing fires instead of preventing them from the beginning.
Without one clear owner of the company’s SaaS apps, each player interferes with the others’ abilities to complete their unique jobs.
As you can see, each of these players has an important role to play when it comes to managing a company’s SaaS integrations, but, without one clear owner of the company’s SaaS apps, each player interferes with the others’ abilities to complete their unique jobs. When an app admin over-provisions access to their team’s apps in an attempt to make it easier on their team, the IT admins are overwhelmed by requests to give every employee access to every app.
When an IT admin gives every employee access to every app without considering security protocol, the security team is overwhelmed by security risks and fires that could have easily been prevented by de-isolating SaaS apps and choosing one group to actually have SaaS app usage policy control.
The De-Isolation of SaaS Apps
In a survey about SaaS apps and security, participants were asked their opinions on the main reasons for misconfiguration-led security incidents. Respondents cited the following reasons as the top four problems:
1. “Too many departments with access to security settings.”
2. “Lack of visibility to security settings when they are changed.”
3. “Lack of SaaS security knowledge.”
4. “Misappropriated user permissions.”
All of these reasons can be attributed to isolated app ownership and lack of visibility by the security team.
Without full control of a company’s SaaS app stack, there is no way for the security team to successfully keep the company secure. Across all companies, it’s estimated that 40% of all SaaS apps are managed and owned by non-security teams.
This is a problem, because when the security team does not have complete SaaS app visibility and ownership, app admins will continue to request access to new apps and accounts for new employees and IT admins will grant unnecessary access and accounts. This perpetuates the cycle, leaving security teams without knowledge of these new accounts and apps… that is, at least, until a security issue arises.
The solution to this problem that has been created by a confusing game of hot potato and a whole bunch of finger pointing is to increase visibility into these apps and centralize SaaS app usage group control.
The best, most secure way to do this is to give the security team control and oversight of the company’s entire tech stack. When a company does this, IT and app admins often find that they have more time to do their actual jobs, and the security team spends less time putting out fires that could have been prevented.
The tech that makes this possible
88% of IT leaders believe that a central SaaS management strategy and location would allow teams to focus on strategy, simplify processes, and increase visibility. If this is the case why isn’t everyone doing it?
App admins and IT admins play an important role in making sure that every employee has the access they need to the apps they use in order to get their jobs done. Because of this, there needs to be a way to connect app and IT admin requests to the security team’s SaaS management system. But, truth is, it’s hard to find a program that allows security teams to have total oversight of the company’s tech stack while not taking all of the power away from app and IT admins.
Enter: Lumos SaaS app management.
Our SaaS automation and app management tool allows app admins to seamlessly request the permissions and accounts their employees need and IT admins to easily grant the correct access, all while security teams have full visibility into the distribution of all SaaS accounts and permissions and have the ability to set account and access parameters.
Even better yet, not only does Lumos help security teams prevent security issues by increasing visibility, it also makes it easy for them to prove this security when it comes time for an audit or an IT security compliance check.
Nearly 50% of companies say that they spend too much time manually managing SaaS apps. By helping all of the important players work together, Lumos automates this process and turns the game of SaaS admin hot potato into simple and safe SaaS management, saving the whole company from stressful audits and the metaphorical burnt hands that security fires cause. Let’s chat! Book a quick demo here.
The Era of Apps and Data - How to Use The Power for Good (and avoid analysis paralysis)
You came, you saw, you collected…data, that is. From app data to data from tools to customer information, you now have a lot of data stored in a lot of places. According to estimates, 2.5 quintillion bytes of data are collected every day. That’s 18 zeros, so to say a company is inundated with data is an understatement.