Serg Nvns - Fotolia


How to thwart the risks presented by SaaS products

Employees love the ease of downloading apps. But IT needs to be vigilant in providing workers with what they want while maintaining security over SaaS products.

Corporate IT has always faced the balancing act of meeting end-user demand for better collaboration and supporting business requirements for security and governance.

Often IT plays the role of "Dr. No." Employees want to share documents easily or conduct video conferences inside the company or with partners and customers, yet IT is often the bearer of bad news, telling employees they can only use what IT provides, and consumer services and software as a service (SaaS) products are forbidden.

This approach was fairly easy to implement when everyone had locked-down corporate desktops, as employees aspiring to take advantage of a new app couldn't easily download it, install it on their computer, or run SaaS products on their personal mobile device.

But two recent trends have changed the dynamic: mobile app stores and WebRTC. App stores enable workers to easily download and use consumer apps, like WhatsApp, and business-focused collaboration apps, like Slack, on their iPads, iPhones and Android devices -- often without any corporate control.

Meanwhile, WebRTC apps like Appear.In, PubNub, Sqwiggle and Talky, allow groups to meet in video conferences, often with accompanying screen sharing and text chat, all through a Web browser or mobile app -- again, outside corporate control.

The paradigm of tight corporate control over collaboration is changing.

The result is the paradigm of tight corporate control over collaboration is changing. Now, IT must either provide the capabilities that employees demand, or run the risk of workers going outside the IT domain and getting apps on their own, leaving IT unable to enforce security policies that few of the SaaS products offer, such as:

  • Corporate directory and single sign-on to prevent access for those employees who have left the company
  • Archiving data to meet regulatory or legal retention/hold requirements
  • Controlling the sharing of data to people outside the company and monitoring for data leak prevention
  • Mandating basic security controls like encryption at-rest and in-motion
  • Guarantees against the use of data for advertising
  • The ability to retrieve data if the organization decides to abandon the app
  • Independent security audits to meet ISO and other security models.

Already, we've heard stories of companies discovering that workers were using unencrypted consumer services for sensitive communications.

IT can proactively protect itself from risk, while meeting employee needs for collaboration, via the following steps:

  1. Work with lines of business to understand their needs, and more importantly, discover what requirements the current IT-supported apps are incapable of meeting.
  2. Work with partners to understand what additional capabilities and apps are available that could easily integrate into current platforms and with existing management and security strategies.
  3. Evaluate new collaboration apps to understand security capabilities, including encryption, key management, location of stored data, and the ability for customers to archive and retrieve stored data.
  4. Educate employees on the risk of using unsupported applications, especially when managing access by those outside the company and revoking access to those who leave their job.
  5. Develop a process for continuous evaluation of emerging SaaS products. IT needs to react to demand from lines of business. IT should also engage lines of business by educating them on new ways of collaborating to improve existing business processes or enable new procedures.

About the author
Irwin Lazar is vice president and service director at Nemertes Research.

Next Steps

Is it bad to allow departments to deploy collaboration apps?

Enterprise social collaboration tools change how we work.

Social software and UC create collaborative communications.

What are the best security tools for mobile collaboration?

Dig Deeper on Collaborative Applications