Current SaaS security strategies don’t go far enough

Many recent breaches and data leaks have been tied back to SaaS apps, according to Adaptive Shield.

“We wanted to gain a deeper understanding of the incidents within SaaS applications and how organizations are building their threat prevention and detection models to secure their SaaS ecosystem,” said Hillary Baron, lead author and Senior Technical Director for Research, Cloud Security Alliance.

“This explains why 71% of respondents are prioritizing their investment in security tools for SaaS, most notably turning to SaaS Security Posture Management (SSPM) as the solution to secure their entire SaaS stack,” Baron added.

“The attack surface in the SaaS ecosystem is widening, and just as you would secure a cloud infrastructure with Cloud Security Posture Management, organizations should secure their SaaS data and prioritize SaaS security,” asserts Maor Bin, CEO of Adaptive Shield.

“In last year’s survey, 17% of respondents said they were using SSPM. This year that figure has soared, with 80% currently using or planning to use an SSPM by the end of 2024. This dramatic growth is fueled by the fact that 55% of organizations stated they recently experienced a SaaS security incident, which resulted in ransomware, malware, data breaches, and more. Threat prevention and detection in SaaS is critical to a robust cybersecurity strategy spanning SaaS Misconfigurations, Identity and Access Governance, SaaS-to-SaaS Access, Device-to-SaaS Risk Management, and Identity Threat Detection & Response (ITDR),” Bin continued.

SaaS security

Current SaaS security strategies and methodologies don’t go far enough: 58% of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications. This gap cannot be filled using manual audits and cloud access security brokers (CASB), which are not enough to protect companies from SaaS security incidents.

Investment in SaaS and SaaS security resources are drastically increasing: 66% of organizations have increased their investment in SaaS apps, with 71% increasing their investment in security tools to protect these business-critical apps. This can be attributed to the fact that SaaS Security Posture Management (SSPM) provides coverage in areas where other methods have fallen short.

Stakeholder spread in securing SaaS apps: CISOs and security managers are shifting from being controllers to governors as the ownership of SaaS apps is spread out through the different departments of their organization.

How organizations are prioritizing policies and processes for their entire SaaS security ecosystem: Organizations are expanding their SaaS security to address a broad range of concerns in the SaaS ecosystem, including SaaS-to-SaaS Access, Device-to-SaaS Risk Management, Identity, and Access Governance, and ITDR, etc.

Companies recognize the importance of human capital in safeguarding the SaaS ecosystem, but more is needed: While 68% of organizations are ramping up investments in hiring and training staff on SaaS security, only 51% have established communication and collaboration between security and app owner teams, and an abysmal 33% currently monitoring less than half of their SaaS stack.

More focus must be dedicated to device hygiene: Ensuring the security of devices that access the SaaS stack is critical for preventing unauthorized access and data breaches. Despite this, only 54% of organizations check device hygiene for SaaS privileged users, 47% inspect the device hygiene of all SaaS users, and just 42% identify unmanaged devices accessing the SaaS stack.