A recent study by IT services and solutions provider Softchoice reports that employees who use SaaS applications are significantly more irresponsible about password security, file transfer and IT compliance at work-all behaviors that can expose corporate data to unintentional leaks and malicious attacks.
[Related: 10 Cloud Security Startups to Watch in 2014]
With the help of The Blackstone Group, Softchoice surveyed 1,000 full-time employees in the U.S. and Canada about IT compliance, password security and file transfer.
The Problem with Passwords
On the password front, the study found the following:
- SaaS app users are more than two times more likely to display their passwords on sticky notes than non-SaaS users. Fully 25 percent of SaaS app users display their passwords on such notes, while only 10.2 percent of non-SaaS users do the same.
- SaaS app users are 10 times more likely to store their passwords on unprotected or shared drives than their counterparts. The study found 21 percent of SaaS app users store their passwords on unprotected or shared drives, while only 2.1 percent of non-SaaS users do so.
- People using SaaS apps for work are three times more likely than non-SaaS users to keep passwords in an unprotected document. The study found that 29.1 percent of SaaS app users do so compared with 10.4 percent of non-SaaS users.
- Age plays a component. The study found 28.5 percent of 20-somethings keep their app passwords in plain sight compared with 10.8 percent of Baby Boomers.
It's not that SaaS app users care less, Kane says. Instead, much of the blame lies with the fact that employees using SaaS apps for work are saddled with an ever-increasing number of passwords to wrangle.
The study found 36 percent of employees using SaaS apps for work access five or more different apps on the job and the trend seems to be rising. The temptation, Kane says, is either to recycle the same passwords over and over again (or slight riffs on the same passwords) or to use external reminders to keep log-ins straight.
[Related: 5 Tips to Keep Your Data Secure on the Cloud]
"We don't see any kind of malicious behavior," says Michael Kane, director of Cloud & Client Software at Softchoice. "The driving motivation behind this is people are trying to be more productive. As the number of SaaS applications increases day-over-day, they are using an ever increasing number of passwords."
"There's not a lot of identity management or single sign-on in organizations yet, so they don't have the tools to protect those passwords," he adds.
Best Practices in SaaS Password Security
To get the password situation under control, a good start is a company-wide security protocol, Kane says. Such a protocol won't solve many of the problems above, but a well-crafted one can at least guide employees to using stronger passwords rather than distressingly common ones like "123456" or "password."
A better step is to enable on-premises-based single sign-on tied to your existing directory service (e.g., Active Directory). But the best option, Kane says, is a secure, cloud-based single sign-on solution tied to your existing directory service. Not only will this help your employees get down to a single password, it also creates a very tangible benefit for business units that use IT to help enable their SaaS apps rather than going the shadow IT route.
The File Transfer and Remote Access Problem
File transfer and remote access SaaS apps, like Dropbox, are among the most common examples of Shadow IT in the enterprise. The study found the following:
- SaaS app users are two times more likely to email work files they need to a personal account than non-SaaS users. The study found 59.1 percent of SaaS app users email work files to personal accounts, while 27.5 percent of non-SaaS users do the same.
- SaaS app users are four times more likely to attempt logging into a work account associated with a former job than non-SaaS app users. The study found 17.7 percent of SaaS app users attempt to log into a work account associated with a former job while only 3.7 percent of non-SaaS app users do so.
- SaaS app users are 16 times more likely to access work files through an app that IT doesn't know they have than non-SaaS app users. The study found 27 percent of SaaS app users attempt to access work files through an app IT doesn't know they have compared with 1.6 percent of non-SaaS users.
And, in fact, the desire for instant information gratification seems to spike as employees use more SaaS apps. The study found that 76 percent of SaaS app users have needed to access work files while away from the office while 58 percent of non-SaaS users have found themselves in the same position.
Finding an app that makes one's daily job responsibilities easier is often perceived as more important than running those apps by IT first, Kane says. It becomes easy to personally justify unprotected email exchanges and meddling into old accounts because, "I need it now."
Best Practices for Foolproof File Transfer
There's no stuffing the genie back in the bottle, and you probably wouldn't want to even if you could. In general, employees aren't engaging in these risky behaviors for malicious reasons; they're trying to find ways to be more productive.
"This isn't about blocking," Kane says. "It's about enabling the right application. And you've got to communicate the reasons why this is the right application for the end users to use."
A good option, Kane says, is standardizing on a cloud-based collaboration platform solution, whether that's Box or Dropbox for Business or any of the myriad of enterprise-focused competitors out there.
A better option is to standardize on a cloud-based collaboration platform and couple it with a mobile device management strategy that addresses bring your own device (BYOD).
The best option, Kane says, is to do that and add a cloud platform to provide end-user management and reporting capabilities to mitigate future risk.
"You want to have the same end-user experience [that you would have with a consumer-grade file sharing platform] while maintaining the security and compliance you need to have," he says.
Partly Sunny Cloud IT Compliance Picture
The study found that nearly one-third of SaaS users had downloaded an app without letting IT know. Thirty-nine percent of those users started using the app for personal reasons but then started using it for work as well.
That can create all manner of compliance issues because IT lacks visibility into the applications employees are using and how the company's data is flowing through those applications.
"You've got to have visibility into these SaaS applications," Kane says. "If you don't, compliance gets very difficult to manage."
For now, SaaS app users' perception of IT is a mixed bag. Only 37 percent of SaaS app users say their IT departments get them what they need, and 46 percent say that when IT does find an unsanctioned app, it provides a secure equivalent.
On the positive side, 67 percent of SaaS users say IT is responsive to them. And 79 percent of employees say IT takes some form of action when an unsanctioned SaaS app is found.
On the whole, Kane says, IT teams have better reputations with end-users than they think, and end-users will tend to listen if IT communicates its reasons to the end users. To that end, IT teams need to stop turning a blind eye to rogue app downloads and instead delete and block the rogue apps and find safer alternatives.
The latter is critical, as employees will continue to seek ways to do their work better and more efficiently. Ultimately, Kane says, IT must teach employees best-use standards that will protect them at work and in their personal lives.
Best Practices for Moving from IT Gatekeeper to SaaS Enabler
A good start is a third-party scan of your IT environment to uncover sanctioned SaaS app use combined with communicating the risks of shadow IT to employees.
"The SaaS applications are already here," Kane says. "Every single time we've conducted a scan like this, there have been more than IT suspects."
Even better is to combine the above with a standard "safe" vendor list for SaaS apps. But the best option, he says, is standardized procurement from a "safe" list of vetted SaaS apps, all accessed through an identity management platform to centralize provisioning and deprovisioning capabilities via a cloud portal, enabling lines of business to make their own choices while minimizing risk for IT.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Read more about security in CIO's Security Drilldown.