Security breaches constantly make headlines in our always-online world. Most recently the WannaCry ransomeware outbreak, French president Emmanuel Macron’s email hack, and the exposure of massive numbers of US voter records have made the news. These breaches can have wide-ranging impacts that cripple organizations across the world - including your own, and the SaaS and on-premise platforms your business uses.
And as with anything, organizations can take as many precautionary measures as possible. Firewalls and anti-virus software are standard measures. But there will always be holes hackers find to work their way in. However, you can do your best to reduce the number of holes. These “holes” are called attack vectors.
So what’s an attack vector, for those of us who don’t live and breath online security? It’s a method of entry for a hacker to access a computer, server, or even an entire network. Hackers use attack vectors to retrieve valuable data (called payload), and use that data for malicious purposes
Attack vectors come in all kinds of forms. Hyperlinks in email messages, attachments to email messages, instant messages, pop-ups, computer viruses - the list is long and varied. However, the key to these attack vectors is a slick combination: the attack vector must contain a delivery method AND the ability to fool the end user. (Hackers are not likely to send you an email with the title “This is a virus. Please open!”.)
Every employee has myriad opportunities to allow attack vectors to infiltrate your network, through any number of tools and platforms they use. Quite a scary prospect, at best.
So, how does SaaS management and optimization fit into the threat of attack vectors? Let’s compare two companies to get a better idea - company A and company B. They’re both technology companies that are about 5 years old.
Company A has grown rapidly without much oversight. Employees who need new tools are encouraged to do research on their own and use free trials before making purchases. As the company grows, SaaS usage is siloed in different departments, often with multiple contracts for one SaaS platform, license duplication, and unused licenses.
Company B grew quickly as well, but attempted to keep a centralized eye on employee tools and provide guidance where necessary. There were still cases where employees acquired SaaS tools without oversight, but eventually the new SaaS was reported back to upper management. If there are multiple contracts, duplicate licenses, and/or unused licenses, company B addresses it quickly.
How does company B’s oversight help from a security standpoint? Let’s refer back to what we discussed before: every tool an employee interacts with provides multiple attack opportunities. By reducing the number of tools, which in this case are SaaS licenses, you can reduce the number of attack vectors where hackers can make an entrance. The fewer openings where hackers can enter, the more secure your organization can be.
So what can you do to reduce attack vectors, regardless of how much oversight you’ve had in the past? By proactively managing your SaaS vendors, you can look for opportunities to save money AND provide better security.
First, get access to all your SaaS contracts, whether they are all in a central location or spread out across a series of department heads. In order to review your license count, you’ll need to know how much SaaS you have first - and whether you need it or are even using it. This might take a while, depending on how much you know (or don’t know) about the SaaS landscape.
As you evaluate SaaS platforms, make a plan to evaluate the number of users for each. How many licenses are unused for more than 60 days, for example? Could several users share a license if their usage levels are low? You’ll have a better idea of what you can cut and what must stay once you know what users are doing, and with how much frequency.
And lastly, once you’ve gone through this exercise, make it evergreen. Determine a process going forward to evaluate the need for any new licenses. Make sure employee offboarding steps actually happen, so you can cancel or repurpose licenses when an employee leaves
And set up notifications with each SaaS platform to tell you which users haven’t logged in after your specified threshold.
Attack vectors are not going anywhere, and hackers will always come up with more creative means of entry. Protect your organization as much as possible by reducing opportunities for attack vectors through SaaS license monitoring. Not only will your organization be more secure, but you’ll also save on SaaS costs and gain valuable insights about SaaS in the process.