SaaS-to-SaaS Access Significantly Expands an Organization’s Attack Surface and Grants Access to Valuable Company Resources and Data

Adaptive Shield, the leading SaaS Security company, today announced the release of its SaaS-to-SaaS Access Report. According to the research, employees are granting thousands of third-party apps access to the two most dominant workspaces, Microsoft 365 (M365) and Google Workspace. With no oversight or control from security teams, companies have no way to quantify the risk that these SaaS-to-SaaS connections present to their businesses.

While these SaaS-to-SaaS connections provide enhanced features that boost workflow efficiency, they also give permission for apps to read, update, create, delete, or otherwise engage with corporate and personal data. In its report, Adaptive Shield identifies how many SaaS apps are being connected to the core SaaS stack, specifically M365 and Google Workspace and business-critical apps such as Salesforce and Slack, the types of permissions being granted to these applications, and the risk level these apps present.

According to the research, companies with 10,000 SaaS users average 2,033 applications connected to M365 and 6,710 connected to Google workspace. For the companies using Google Workspace, that figure jumps to an average of 13,913 connected apps for 10,000 - 20,000 SaaS users.

While the risk level for permissions varies from one app to the next, Adaptive Shield researchers found that 39% of apps connected to M365 and 11% to Google Workspace have ‘high-risk’ permission access. Additional details on these include

• In Google Workspace, the top three high-risk permission sets (78%) request the ability to see, edit, create, and delete any or all Google Drive files, emails, and docs.
• In the Microsoft 365 ecosystem, the two most common high-risk scopes grant the app the ability to read, create, update, and delete data. Together, they make up 27% of all high-risk scopes being granted.

“The simple app-to-app connectivity that makes SaaS apps vital productivity tools also makes them significantly dangerous,” said Maor Bin, CEO of Adaptive Shield. “While it’s clearly unrealistic to expect businesses to curb their reliance on SaaS apps, they cannot allow this adoption to go unchecked. To eliminate these risks companies must develop policies for integrating apps, prioritize employee training, and deploy monitoring solutions that help over-taxed security teams identify and eliminate high-risk permission sets before it’s too late.”

While these challenges are most prominent in M365 and Google Workspace, they are not exclusive to these apps. As part of this effort, Adaptive Shield examined two other business-critical apps, Slack and Salesforce. The research shows that organizations have an average 222 SaaS-to-SaaS apps for Slack and another 41 apps for Salesforce.

A final area of research are app categories that are connected most frequently. According to the research, email applications are far and away the number one connected category followed by apps related to file and document management, communications and meetings, and calendars and scheduling.

The Adaptive Shield full report, 2023 SaaS-to-SaaS Access Report: Uncovering the Risks & Realities of Third-Party Connected Apps, is available now.

About Adaptive Shield

Adaptive Shield, leader in SaaS Security, enables security teams to secure their entire SaaS stack through threat prevention, detection and response. With Adaptive Shield, organizations continuously manage and control all SaaS and 3rd-party connected apps, as well as govern all SaaS users and risks associated with their devices. Founded by Maor Bin and Jony Shlomoff, Adaptive Shield works with many Fortune 500 enterprises and has been named Gartner® Cool Vendor™ 2022. For more information, visit us at www.adaptive-shield.com or follow us on LinkedIn.

View source version on businesswire.com: https://www.businesswire.com/news/home/20230227005572/en/