SaaS apps are more important than ever. By extension, that means SaaS and MSPs’ fates are intertwined.
Even before the arrival of COVID-19, SaaS was increasingly favoured due to the steady rise in the subscription-based economy.
It’s evident in the fact that companies now spend an average of $2,884 per employee on SaaS (more than hardware) and this figure is increasing with more industries transitioning to a SaaS model.
The pandemic is definitely accelerating this trend with cloud spending rising 37% to $29 billion during the first quarter of 2020.
With an increase in adoption of SaaS applications, the focus on managing and securing these applications is a critical area for MSPs.
One element that is paramount here is the management of SaaS user access.
Why Is SaaS User Permission Management Important?
The reason SaaS user permission management is important is that you need to ensure that the right people have the right level of access to sensitive data.
Think about it another way: you wouldn’t want a summer accounting intern having access to detailed payroll records.
Most SaaS apps provide you with role-based access control (RBAC) features that enable you to specify access levels and other action-based permissions.
The idea is to give the right access to the right people ensuring that only authorized individuals can see certain data on SaaS applications.
In an ideal world, you implement these permissions once and you’re done. You then have an accurate, clearly enforced level of application security that defines the users and how they can access and manipulate data.
In the real-world it’s a little more complicated.
Common SaaS User Permission Mistakes
The problem with our ideal-world scenario is that it rarely works out this neatly. Here are some reasons why.
1. Third-Parties Gain Access
Your client might hire a sales consultant to look at your sales process. To provide a full audit, they get full access to their CRM.
They wrap up the engagement and then forget to remove this consultant who has access to all of their customer records.
2. Allowing Too Much Access
RBAC isn’t always perfect. Your client’s VP of Marketing is on vacation, so they need a coordinator to send an email to all your customers. To do this, they need admin access to your marketing automation tool.
You grant it because you need the email to be sent, but never revoke it.
3. Not Removing Access for Terminated Employees
We’ve written about common employee offboarding mistakes.
If you’ve ever looked at user permissions, you’ll have heard the refrain: “I thought Sarah still worked here?”
While Sarah is hopefully an upstanding citizen, there’s no guarantee that this access won’t be used maliciously.
4. Sharing User Accounts
We get it: additional users can be costly. But as soon as your client shares accounts, or passwords to accounts, you no longer have any accountability. Users can do what they want, and get away scot free. Your audit trails get broken because you can no longer tell which individual did something.
How Do You Get Employee User Permissions Right?
The first step you need to take is to gain insight into your client’s SaaS usage so that you can align it with their app’s permission levels.
Regardless of the data source, Augmentt Discover can extract critical SaaS usage data and provide you with actionable results. This includes trended usage over time, by individuals or entire departments.
We also allow you to instantly classify the apps according to their security, financial or productivity risk. This will give you a clear idea of what apps you need to focus on first.
That means if an individual never logs in to a particular app with sensitive data, you can revoke their access. Giving MSPs the tools they need to clean up permissions drift and implement a solid strategy is a major part of the battle.
SaaS User Permission Management Is an Ongoing Battle
Once SaaS applications are in a known-good access control state it requires constant effort and attention to keep them that way.
Without continuous monitoring it is almost certain that permissions drift will creep back into the applications’ configuration and require repetitive assessment and clean-up efforts.