In many ways, the proliferation of SaaS apps has made life easier for businesses.
Automated bookkeeping!
More seamless project management tools!
Better team communication platforms!
But there’s one part of that SaaS landscape that might be a little too easy. And that’s creating guest user accounts. This is when an organization gives a non-employee access to specific apps and/or data within the company network.
For example:
These are all legitimate reasons for organizations to create guest user accounts.
But it’s what happens afterwards that’s the problem.
Those guest accounts just kind of … hang out, long after the party is over. And it’s your job as the MSP to kick them out.
If guest user accounts start out harmless, how do they become such a big issue?
Well, it’s a numbers game. According to the 2023 Okta Businesses at Work study, the average company uses 89 SaaS apps. If even five guest user accounts linger in each app, that’s 445 chances for someone to do something devious.
To add to the problem, most organizations don’t even notice how many accounts are lying around. Yet they make up a huge portion of their SaaS landscape. In fact, out of the more than 1.9 million SaaS accounts monitored by SaaS Alerts in 2023, nearly half (48.1%) were guests versus licensed users.
Nearly half?!
Yep.
That’s a lot of potential for data loss, intellectual property theft or even just really damaging accidents. External collaborators likely haven’t been through the same training as regular employees and might be less careful about deleting files from shared folders.
Oh, that 50-page slide deck labeled “FINAL: The End-All, Be-All Branding and Messaging Document for Company X” was important? Whoops!
Your customers are awesome. But let’s be honest: they’ve probably forgotten about most of the guest user accounts they’ve set up. (Brad who? Why is he still in our SharePoint?)
Like other things your well-meaning customer probably forgets about, this responsibility is on you. Here are a few tactics to limit guest user accounts and save your customers’ SaaS:
When setting up a new guest user account, minimize their permissions. Give them just enough ability to do their job. Don’t be willy-nilly about setting up new accounts with full permission to run wild.
When you buy a ticket to a theme park, movie or sporting event, that ticket is time-bound. You can’t just show up with your ticket for the Sunday football game … on the following Thursday afternoon.
Enact that same philosophy with your customers’ guest users! Only give them temporary access to whatever SaaS app they’re working in.
As the fabulous MSP you are, you already monitor end-user behavior for your customers’ employees. That should be no different for guest users. If anything, it’s more important with these accounts. (They’re strangers, after all.) Keep an eye on account activity such as unusual upload/download patterns.
Every month or so, clear out unused guest accounts. If that person comes back later and needs access, a new account can be created. But there’s no reason for the old one to linger indefinitely.
Along those lines, do a regular cleanup of guest users’ permission settings. Maybe they do have a legitimate reason to still have an account. But do they need full administrative privileges after that big project is done? Probably not.
Not everyone gets an invite to the party! If a vendor or contractor can do their work without actually setting up an account within the organization’s SaaS apps, all the better.
You probably shuddered earlier when you read about regularly auditing and deleting guest user accounts. So. Much. Manual. Work.
But with SaaS Alerts, you can preset rules for when to automatically delete an account (for example, after 30 days of inactivity). Out of 928,132 total guest user accounts identified by SaaS Alerts in 2023, automation tools got rid of 81,000. That’s 81,000 MSP clicks saved!
If a guest user gets up to no good inside your customer’s SaaS environment, SaaS Alerts will let you know.
With three categories of security events (low, medium and critical), SaaS Alerts flags when something looks strange. For example, maybe one of those guest users downloads 500 files in an hour from the company SharePoint. (No one needs that many documents that quickly.)
Set up rules in advance for when you want SaaS Alerts to automatically shut down a guest user account. Then when that (overzealous!) guest user downloads their 500 files, you don’t have to scramble to lock the account.
All you have to do is kick up your feet and let SaaS Alerts do its magic — and kick that user out of the SharePoint party.