Analyzing the Forrester Wave™: SaaS Security Posture Management, Q4 2023

The dynamic landscape of cybersecurity is witnessing a paradigm shift, with the SaaS Security Posture Management (SSPM) market emerging as a critical and pivotal player in safeguarding organizations against evolving cloud-based threats. As a clear must-have solution, Forrester has now brought to market their SSPM Wave, laying out their assertions and designating the top providers in the space.

Proud to be named a Strong Performer, Forrester’s Wave Report acknowledges Adaptive Shield’s capabilities and details each vendor’s current offering, strategy and market presence. 

Within this blog post, I analyze the report, highlighting some of its findings and opening avenues for discussion. I believe Forrester’s vendor positioning might raise questions and this might be due to criteria such as proxy-based tech that is considered to be a pure CASB capability, cost saving features that are typically found in SMPs, heavy weighting of secondary criteria the same as primary SSPM capabilities, and due to the Innovation criteria that is measured solely based on the company size. 

Adaptive Shield’s Top Scoring Criteria

Configuration Drift Detection 

A core criteria for an SSPM solution, configuration drift detection is explained as the SaaS app owner or admin's functional, intuitive, and simplified ability to configure known good baselines, set up configuration drift notifications, view affected user lists post-configuration changes, and configure both vendor-supplied and client organization-specific risk score definitions, rules, and remediation steps.

Forrester recognizes that Adaptive Shield received the highest score possible in the Configuration Drift Detection criterion in that all recommended baseline configurations are available in the UI of the Security Checks feature. These configurations are mapped to best practices, frameworks, and compliance standards. The Adaptive Shield solution provides the ability to receive configuration drift notifications via multiple channels such as Slack, Teams, Emails, or any ticketing system of choice. The notification can be app-specific and drift-specific.  The affected user list after a configuration change appears in the Security Check feature under the "Affected" tab and also under "Alerts".

In custom Security Checks the user of the platform can add/edit the score, rule and remediation plan manually. In out-of-the-box Security Checks, the user can change the risk score and other variables to match a custom logic.

SaaS App Configuration Templates 

Forrester explains SaaS App Configuration Templates to involve the customer SSPM administrator's functional, intuitive, and simplified ability to use and configure various compliance templates, customize vendor-supplied templates, cross-reference individual configuration artifacts with compliance templates, utilize natural language misconfiguration impact and remediation descriptions, and configure reports on findings and differences between templates and actual app configurations. 

Forrester acknowledges that Adaptive Shield received the highest possible score in the SaaS app Configuration Templates. Adaptive Shield’s Security Checks are mapped to all the industry compliance frameworks (ISO 27000 series, SOC2, NIST CSF, CIS, etc.) — and are available out-of-the-box for users to benchmark against. The platform also provides its own frameworks and customers have the flexibility to customize them- whether by adding rules, dismissing checks or defining parameters. In addition, the Security Checks feature allows users to see the configuration deltas between the different Templates and AS-IS of both passed and failed checks. On top of these capabilities, the Landscape view presents the increase or decrease in posture score based on the recent changes.

The remediation guides are in English, descriptive and user-friendly, encouraging app owners to easily remediate. There is also a journal feature that enables users to communicate through the platform on each check. The “Posture Overtime” feature shows any change in configurations, gathering logs from the past 180 days.

IAM Administration 

Forrester defines IAM administration as involving the functional, intuitive, and user-friendly configuration of user graphs, inactive admin user detection, authentication monitoring, high-risk business user-centric views, and fine-grained user permission management in applications.

Adaptive Shield’s robust User Inventory received the highest possible score for a strong Identity Security Posture where each SaaS user has consolidated information on what SaaS app he has access to, permissions, roles, groups, and more. This also presents the failing user checks and how to remediate. In the Security Check feature, there are specific checks for access to sensitive data and settings in the system. There are out-of-the-box security checks that check for inactive admins. These can be changed to fit company policies within a preset or custom timeframe. This information is also available in the User Inventory via filters and custom security checks.

Scale 

Scale, as defined by Forrester, is determined by the largest number of SaaS applications handled at a single, direct, in-production, paying customer organization as of June 30, 2023.

Adaptive Shield collaborates with hundreds of F1000 and Large Enterprises, our innovative tech and infrastructure enables us to support enterprises at scale and has been recognized as superior compared to other vendors.

Discussion & Misalignment on Selected Criteria 

Within a few of the criteria listed by Forrester, I had a few questions by either the criteria, the definition of the criteria or the evaluation itself. Below are the items that raised the most questions for me. 

Score Weights

In Forrester reports, the category weights are meant to prioritize key features and capabilities of a technology, but in this Wave, it seems that primary and secondary categories have been mixed. Why? SSPM, at its core, enables security teams to monitor and manage their SaaS stack. Items like configuration drifts, compliance frameworks and breadth of app integrations sit at its very heart. Taking a look at the categories and the weighting associated with each in this report, one can misunderstand the core features of an SSPM solution. 

Innovation

The Innovation criteria is solely based on technical employee headcount. The rating is calculated based on the absolute number of technical headcount, clearly disadvantageous to emerging vendors as opposed to larger vendors. Many would argue that the success of an emerging vendor lies in their innovation, agility, and ability to disrupt the norm also based on their tech, vision, research and more. This might explain why all emerging SSPM companies were given a lower rating, influencing their position in the Wave overall — as this criteria was given one of the highest category weights at 14%.  

Respecting Forrester’s definition of innovation, perhaps it would be more logical to calculate the ratio of technical headcount vs overall headcount instead of the absolute number of technical headcount. 

Shadow IT - Proxy-Based Detection- CASB or SSPM? 

Forrester includes Shadow IT detection capabilities and remediation, OAuth grants discovery, automatic bulk revocation of grants, identification of managed and unmanaged applications, and proxy-based shadow IT discovery for the report scoring.

Adaptive Shield’s 3rd Party App Inventory shows all 3rd party apps discovered, including OAuth apps, and the user who granted the OAuth consent, among many other important details. The 3rd Party App Inventory detects unsanctioned apps that are connected to apps integrated within the Adaptive Shield platform. With over 140 apps out-of-the-box integrations and the ability to connect custom apps, Adaptive Shield customers have deep visibility into their large network of apps, sanctioned or unsanctioned, from within the solution. 

Important to note is that Adaptive Shield does not support proxy-based shadow IT discovery, like a CASB. SSPM, being a modern solution, is API based. In fact, one of the reasons SSPM technology emerged was to intentionally shift away from control via proxy. 

Another point of interest not mentioned in Forrester’s definition, is the innovative element to show API keys. Adaptive Shield’s 3rd Party App Inventory also presents API Key information, a new and important feature for this capability. 

Closing Thoughts

While Forrester's Wave report is a valuable resource for assessing solutions, my analysis has uncovered areas where we concur, and where we differ. I believe it's crucial for stakeholders to evaluate the report with a clear understanding of the details and delve into the above discussion to judge for themselves. 

I’m thankful to Forrester for bringing this important sector of SSPM to front-of-mind, and ultimately, your organization's specific requirements and direct experience with the solution should guide your decision-making process, ensuring a tailored fit for your organization's SaaS Security needs.