Enterprise social applications like Slack and Teams have made remote work a possibility for many businesses. Over the past few years especially, we’ve relied on tools like these to replace watercooler conversations and help us collaborate with other functional teams. But with all the good they bring to our new remote and hybrid working world, there are also new security challenges that can’t be ignored.
The industry lived through the move from mainframes to Client Server, and again from LAN- to SaaS-delivered applications. Historically, with new compute models come new attack surfaces. As a result, a specific set of security tooling emerged to address the new gaps. While this is a positive short-term solution to patch holes, it does little for long-term gains. It also introduces challenges from integrating new tools with legacy systems.
Security and IT leaders have reached the limits of effectiveness associated with managing multiple solutions for every possible threat. Especially considering enterprises use upward of 110 of SaaS applications on average (Statista). As this number continues to grow, businesses need to get realistic about how to manage the onslaught of new apps, tools, and most from locations outside the security of your own business network.
Fortunately, there is a bright spot emerging in the market, and it involves a new generation of security tooling built within the business platforms and processes enterprises already use. While specific endpoint technology will always be needed, solutions will become increasingly integrated with larger systems of action that are aligned with the actual risk and employee workflow.
However, as much of an improvement consolidating siloed systems and applications onto your business platform is, it’s not a silver bullet for your security woes. And the looser attitudes toward enterprise social apps can make this even more difficult to manage. Take Slack for example: on one hand, people tend to let their guard down a little more. They’re encouraged to joke and socialize, but it’s also a place to share company information, documents, and customer information.
Enterprise social apps provide a much-needed cultural aspect and a quick means of communication once void from remote work. They increase productivity and help us get fast answers. But our casual attitudes, dispersed workforce, and lack of real policy around them may all contribute to their vulnerability. So, let’s look at what we can do to reap the benefits of enterprise social apps and reduce the risk.
First, at a minimum, you must ensure that individuals who have access are governed. Whether full-time, part-time employee, contractor, or another affiliation with the company, anyone who is using enterprise social apps must have the appropriate level of access. This means if they are no longer employed, their access should be removed. If they are a contract or freelance employee, consider the timeframe they will be working with the company, or whether it’s necessary for them to have access to social apps to complete their project.
This boils down to identity lifecycle management, and to remain effective, requires constant monitoring. While much of this can be automated, governing identity will never be a ‘set it and forget it’ kind of project. The state of identity is always changing, and reevaluating what that means is crucial. Certain departments and roles have access to certain tools and systems, and certain assets should be taken away with departmental moves, much like when an employee leaves the company. But it’s a fine line: an approach that’s too restrictive can hurt productivity and morale.
Beyond proper governance, there’s a financial component to how enterprise social apps are managed. Most social apps have licensing costs, and governance can help defray excess spending. For example, if an employee leaves your company and you don’t disable their Slack account, not only is there a security hole, but you’re burning money. Add this up across multiple accounts and applications and depending on your organization size, it could be significant.
This is another case for the problem with siloed organizations. In the early days, IT was a finance function, typically reporting to the CFO. There was alignment between business and operations, but now there are different needs, budgets, and reporting structures for folks in regulatory compliance, finance, IT, and the list goes on. These functional areas don’t act as one business unit. People don’t want to be implicated, so there’s less focus on expenses and operational efficiency.
But it doesn’t have to be a trade-off. At the end of the day, strong identity governance practices lead to better security, efficiency, and cost-savings. Enterprise social apps are not too different from other business software. Taking proper governance measures, constantly evaluating the state of identity, and acting upon these insights in a timely manner are all key to securing enterprise social apps.
This article first appeared in Enterprise Security Tech.