Software as a Service (SaaS) is increasingly commonplace in the modern workplace, but the forecast isn't all sunny. In a worrisome trend, end users have grown lax when it comes to SaaS security practices, according to a recent
study sponsored by Softchoice, a cloud and IT services provider. SearchManufacturingERP Site Editor Brenda Cole spoke with Mike Kane, director of cloud and client software at Softchoice, to discuss the study and the critical importance of SaaS management when it comes to security.
How did you conduct this study and why?
Mike Kane: We have a cloud practice that is focused around Software as a Service management, so we try to get a better understanding of the behavior of end users. We commissioned a firm called the Blackstone Group to run the study, because we wanted to go outside our own customer base and cast a broader net. They spoke to thousands of full-time informational workers in the U.S. and Canada, with a pretty even split between the midmarket and the enterprise spaces.
What are some examples of unsafe practices around SaaS management in the workplace?
Kane: We found that end users are taking some of their personal habits around on-demand applications into a corporate environment. There's no malicious intent here; people are just trying to be more productive and are pulling up apps in the corporate environment in the same ways that they do on their iPhones. [Based on other Softchoice research], the average SaaS user has twice the amount of applications on their corporate devices than their IT department is aware of.
There are a lot of folks now displaying their passwords on Post-it notes on the monitor. Obviously, that's not very secure. We used to see this practice some years back, and it's resurfacing. I think it's primarily because end users have so many passwords that they have to remember because of all the applications they have now. Another common trend is folks are recycling one or two passwords, and are using them to access all of their applications.
Users are also accessing company data through unsanctioned apps. This is typically where a user is trying to collaborate with a co-worker, customer, contractor or vendor. They're collaborating using file-sharing tools and, in many cases, they're putting their company's proprietary information out on these services and that can be a risk.
We found that it's the Millennials -- the younger workers -- that seem to have less knowledge about security than, say, a baby boomer. It might just be generational, where Millennials are used to having less privacy and aren't as concerned about some of the security risks as an older worker.
What do you think breeds these kinds of unsafe practices? Is it a matter of individual choices or is it a matter of corporate culture?
Kane: It's behavioral. We think people are just taking the norms they have for accessing applications in their personal consumer lives, and now that's bleeding into corporate behavior. We do have some corporate customers who will block everything [from end users], but we also don't think that is the best policy. The talent of today is used to accessing those types of technology and without that access, it'll be harder for companies to recruit the top talent.
When SaaS security isn't taken seriously, what can happen?
Kane: Worst-case scenario would be if an employee puts proprietary information out on one of these unsanctioned apps. If that employee then becomes an alumna of that organization, they will still have access to that application because it wasn't sanctioned to the IT department. So, some of those key provisioning capabilities that the IT person is used to having aren't there. Or, one of those applications could get breached, resulting in data loss.
What can companies do to encourage more secure SaaS management practices?
Kane: It's about change management and training. Communicate why end users need to use certain tools and avoid certain behaviors. You can have all the tools in place in the world, but if you're not communicating all this out [to end users], it's not going to work very well.
More on SaaS management and the cloud
Understand the challenges of cloud procurement
Learn how cloud business intelligence measures up
Find out how to choose between cloud and on-premises ERP
Do you think SaaS will become more common in the workplace in coming years and, if so, what do companies need to do to prepare for it?
Kane: I heard a stat from an analyst who said that in 2014, SaaS will become the de facto standard for all new software acquisitions going forward. I don't know if we're quite there yet, but I think certainly we will be within the next three years. We're seeing [SaaS use] from the big guys like Microsoft and Adobe to line of business companies and specific verticals. The delivery [of SaaS] is just so much faster and efficient now that it's becoming much more prevalent.
Number one, you need to understand what is already out there for SaaS. In many cases, companies already have these apps in their environments and aren't aware of it. Secondly, build out some sort of platform to manage all the applications. As you move to the SaaS world, you still have to maintain your compliance and security practices, so by having that SaaS management platform in place, you'll be able to do that.
Follow SearchManufacturingERP on Twitter @ManufacturingTT.
This was first published in February 2014