The Importance of SaaS User Permission Management

SaaS apps are more important than ever. By extension, that means SaaS and MSPs’ fates are intertwined.

Even before the arrival of COVID-19, SaaS was increasingly favoured due to the steady rise in the subscription-based economy.

It’s evident in the fact that companies now spend an average of $2,884 per employee on SaaS (more than hardware) and this figure is increasing with more industries transitioning to a SaaS model.

The pandemic is definitely accelerating this trend with cloud spending rising 37% to $29 billion during the first quarter of 2020.

With an increase in adoption of SaaS applications, the focus on managing and securing these applications is a critical area for MSPs. 

One element that is paramount here is the management of SaaS user access. 

 

Why Is SaaS User Permission Management Important?

The reason SaaS user permission management is important is that you need to ensure that the right people have the right level of access to sensitive data.

Think about it another way: you wouldn’t want a summer accounting intern having access to detailed payroll records.

Most SaaS apps provide you with role-based access control (RBAC) features that enable you to specify access levels and other action-based permissions.

The idea is to give the right access to the right people ensuring that only authorized individuals can see certain data on SaaS applications.

In an ideal world, you implement these permissions once and you’re done. You then have an accurate, clearly enforced level of application security that defines the users and how they can access and manipulate data.

In the real-world it’s a little more complicated.

 

Common SaaS User Permission Mistakes

The problem with our ideal-world scenario is that it rarely works out this neatly. Here are some reasons why.

 

1. Third-Parties Gain Access

Your client might hire a sales consultant to look at your sales process. To provide a full audit, they get full access to their CRM. 

They wrap up the engagement and then forget to remove this consultant who has access to all of their customer records.

 

2. Allowing Too Much Access

RBAC isn’t always perfect. Your client’s VP of Marketing is on vacation, so they need a coordinator to send an email to all your customers. To do this, they need admin access to your marketing automation tool.

You grant it because you need the email to be sent, but never revoke it. 

 

3. Not Removing Access for Terminated Employees

We’ve written about common employee offboarding mistakes.

If you’ve ever looked at user permissions, you’ll have heard the refrain: “I thought Sarah still worked here?”

While Sarah is hopefully an upstanding citizen, there’s no guarantee that this access won’t be used maliciously.

 

4. Sharing User Accounts

We get it: additional users can be costly. But as soon as your client shares accounts, or passwords to accounts, you no longer have any accountability. Users can do what they want, and get away scot free. Your audit trails get broken because you can no longer tell which individual did something.

 

How Do You Get Employee User Permissions Right?

The first step you need to take is to gain insight into your client’s SaaS usage so that you can align it with their app’s permission levels.

Regardless of the data source, Augmentt Discover can extract critical SaaS usage data and provide you with actionable results. This includes trended usage over time, by individuals or entire departments.

We also allow you to instantly classify the apps according to their security, financial or productivity risk. This will give you a clear idea of what apps you need to focus on first.

That means if an individual never logs in to a particular app with sensitive data, you can revoke their access. Giving MSPs the tools they need to clean up permissions drift and implement a solid strategy is a major part of the battle.

 

SaaS User Permission Management Is an Ongoing Battle

Once SaaS applications are in a known-good access control state it requires constant effort and attention to keep them that way. 

Without continuous monitoring it is almost certain that permissions drift will creep back into the applications’ configuration and require repetitive assessment and clean-up efforts.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
Read More
SUBSCRIBE for more resources
Related Content

Agent and Agentless

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]
    Read

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Read
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.
      Solutions
      Company
      Contact

      Want to get the latest resources in Saas Security?

      Join our mailing list and we’ll only send you value-add content.