Software as a service (SaaS), including public cloud application services/software, is estimated to be worth more than $295 billion by the end of 2025. The cloud computing model allows users to access software applications, usually on a subscription basis, where a cloud service provider (CSP) hosts and manages the software and infrastructure.
SaaS has steadily become one of the most popular cloud computing models, while it has been seen as a game changer when compared to traditional software models – ensuring regular updates, resolving compatibility issues, and providing greater scalability.
However, cybersecurity remains an issue that must be resolved.
AppOmni’s “2024 The State of SaaS Security Report,” recently released warned that SaaS incidents are being exploited, with 31% of respondents surveyed for the report said their organization suffered a data breach, up five points from last year. The report warned that the percentage of sensitive data in SaaS apps that, if compromised, can cause business disruptions, loss of customer trust, and damaged organizational reputation. For those reasons, SaaS needs to be actively secured.
“SaaS apps power enterprises large and small but their security is still far short of ideal. Many organizations remain unaware of which SaaS apps are used, by whom, with what permissions, so they are unable to get a handle on what is risky; but also unsure who has the responsibility to secure them within their own organization,” explained Brandon Levene, principal product manager for threat detection at AppOmni.
He told ClearnanceJobs that the findings suggest that enterprises are starting to pay attention to SaaS security, but not enough is being done beyond initial measures around procurement time.
“‘The Shared Responsibility model’ for SaaS security is widely misunderstood and many times may give a false sense of security with customers assuming that the SaaS vendors and cloud providers address most security requirements,” added Levene. “The customer is responsible for monitoring and updating SaaS, setting application access control policies, managing identities and permissions, and compliance mandates. SaaS security should also be actively addressed by the CISO organization.”
The Threats Will Continue
One issue that remains is that SaaS is often adopted in stages, with unauthorized apps being added to the mix. This can create weak links in an otherwise robust security chain.
“Attackers continue to wreak havoc by stealing data, holding companies ransom, disrupting business operations, and damaging the organizations’ reputations,” said Brendan O’Connor, CEO of AppOmni.
“Fortunately, SaaS security is now getting the attention it requires. But initial deployment policies and ad hoc strategies don’t lead to repeatable best practices, collaboration, or the continuous vigilance required to maintain a robust and comprehensive SaaS security program,” O’Connor told ClearanceJobs. “Our study surfaced the challenges posed by decentralized governance and the confusion around shared responsibilities for SaaS security, both of which are exacerbated by a complex web of connected applications.”
The study warned that all too often vigilance can erode after deployment, while there remains excessive emphasis on proprietary tools and initial SaaS vendor credibility – which could hinder risk evaluation. The sheer volume of changes in settings can be overwhelming for even experienced, security teams, while it is also nearly impossible for those teams to be experts in every application.
“You don’t need to boil the ocean when it comes to SaaS security,” suggested Levene. “Prioritize securing apps based on the risk that they represent – where you have the most business-critical data, the most users, where compliance requirements are going to be important, and applications that are woven into your day-to-day business.”
Collaboration to Combat SaaS Breaches
The report further indicated that as SaaS adoption continues, there needs to be continuous monitoring of SaaS connections, while maintaining strict security controls. That should include the blocking of unsanctioned third-party apps from connecting to business-critical apps, notably those that hold sensitive customer data.
Entities of all sizes further need to cultivate a SaaS-aware security culture in an organization that involves ongoing collaboration between the CISO and the security teams.
“The sensitive nature and sheer amount of data stored in one major SaaS provider make them fertile ground for stealing and ransoming. The recent breach involving Snowflake databases at over 165 enterprises illustrates the challenge and the ease with which SaaS apps can be compromised,” said Levene.
“It’s clear that SaaS security must mature rapidly as incidents rise,” he continued. “Organizations need to shift from ad hoc strategies to a well-structured, continuously monitored security program. Relying solely on SaaS vendors and managed service providers for security is insufficient; proactive, comprehensive strategies are necessary to safeguard organizational data and reputation.”
A shared responsibility model that is meant to delineate the division of security responsibilities among cloud service providers, SaaS platforms, and customers, could also be key to ensuring that all parties understand their roles in data protection and risk management.
“As attacker tactics, techniques and procedures (TTPs) and preventable security issues are becoming more widely known,” said O’Connor, “there are signs that CISOs and their teams are prioritizing SaaS risks among their cloud security initiatives—even as budget pressures intensify.”