SaaS vs. IaaS: Why Does IaaS Get All the Security Attention?

Despite their apparent differences, IaaS and SaaS each contain critical corporate information that must be secured.

Adaptive Shield Team

In many ways, IaaS and SaaS are very different. Infrastructure-as-a-Service (IaaS) is a place where developers use virtualized resources to compute, network, and store data. Software-as-a-service is a piece of software that is hosted on the cloud. Despite their apparent differences, IaaS and SaaS each contain critical corporate information that must be secured.

Securing IaaS requires a Cloud Security Posture Management (CSPM) tool, which monitors configurations, provides user governance, assesses data risks, and ensures the security of the IaaS environment. The CSPM market size is about $4.7 billion in 2023 and is expected to continue to grow over the next seven years at a compound annual growth rate (CAGR) of 10.4%.

SaaS Security Posture Management (SSPM) is used to secure SaaS apps. Like CSPM, SSPM monitors configurations, handles threat detection, plays a role in user governance, and ensures that the SaaS application is safe. The SSPM market size, however, is only a fraction of the size of CSPM’s market.

When you consider that both SSPMs and CSPMs are tasked with hosting critical corporate data that would lead to significant business losses if breached, it is surprising that there is such a large disparity in market size. Why is it that so many companies invest in security tools for their IaaS while leaving their SaaS applications virtually unattended? Here are some theories to explain the dissonance.

Theory #1 – IaaS Lacks Native Security Tools

One of the selling points of IaaS is the level of control granted to the development team. The service provider is responsible for the security of its servers and storage areas, but everything else is the responsibility of the customer. That includes runtime, networking, O/S, data virtualization, middleware, and applications.

As a result, when companies move to the cloud and begin an IaaS project, they recognize the responsibility that they have in terms of security. With SaaS applications, it’s not as simple.

SaaS applications also talk about a shared responsibility model, but the vendor is responsible for the entire application. The only security responsibility remaining for the purchaser is to secure the SaaS ecosystem using the configurations provided by the vendor. The perception is that SaaS applications are secure, and whatever security may be lacking isn’t that big a deal.

That misperception can be dangerous. Misconfiguring an application can lead to security breaches that compromise entire databases of PII, company secrets, and financial records.

The reality is that IaaS installations are like a field without any fences. Without security put in place, anyone can wander through and do as they choose. SaaS applications have fences, but those fences have open gates that must be closed. The net result is that without introducing SSPM security measures to a SaaS application, the data contained within the SaaS can be breached and exploited.

Theory #2 – IaaS is More Important to Protect than SaaS

IaaS is very multi-purpose. It hosts websites, runs virtual servers, stores and processes data, and handles dozens of business-critical activities. When IaaS goes down, it can lead to service disruptions, data losses, and have a financial and operational impact. To avoid those types of disasters, IT recognizes the need to invest in security products and ensure business continuity.

Five years ago, SaaS applications were used because they increased efficiency. Today, organizations heavily rely on SaaS applications to run their business operations. SaaS security is not only about securing SaaS data. SaaS breaches lead to serious consequences like reputational damage, business email compromise (BEC) fraud, identity theft, and email shutdowns. Breaches to infrastructural apps such as Workday, ServiceNow, Salesforce, and M365 can fully disrupt business operations.

For the latest in SaaS Breaches, don’t miss our Brief Debrief blog series

Theory #3 – IaaS has a Clear Owner and Champion

IaaS is owned by the IT team. From a corporate perspective, that means payment for the service and the security services associated with it comes from the IT team’s budget. Having a single point of responsibility simplifies its management.

SaaS applications are different. Each team purchases the SaaS it feels is best suited for their needs. Some teams will consult with their IT or security department, but the purchase decision lies in their hands. SaaS applications appear in every team’s budget.

However, teams don’t believe that it is their responsibility to pay for an entire security platform. While the equitable thing to do might be to allocate budget from every team using a SaaS application, that level of cooperation rarely happens in a corporate setting. Instead, security tools like SSPM fall to the security team, which is having a hard time adjusting to a new security paradigm where app owners have their hands on the security controls.

Theory #4 – Organizations Already Have a SaaS Security Solution

Over the last few years, security teams have invested in single sign-on (SSO) tools like Okta or cloud-access security brokers (CASB). These tools have been positioned as SaaS security tools, leaving security teams feeling confident that their SaaS applications are secure.

In practice, neither of these tools are as effective as a dedicated SaaS security tool. SSOs make access more difficult but are not involved in monitoring configurations, reviewing third-party applications, or identifying threats. When users also have local access, SSOs are particularly ineffective at securing anything.

CASBs are more effective, in the sense that they can monitor some configurations and have limited visibility into third-party applications. Even so, they are expensive to configure, making them a less-than-ideal solution for monitoring the SaaS stack.

Despite these limitations, organizations with CASB or SSO solutions in place might feel less urgency to invest in a true SaaS security solution.

Securing SaaS is Becoming a Priority

These theories may explain why so few companies have invested in SSPM tools to secure their SaaS applications. However, they do little to protect the data sitting in SaaS applications. Fortunately, organizational attitudes are changing with respect to the need for SSPM.

In The Annual SaaS Security Report: Plans and Priorities for 2024, 44% of respondents said their organization was using an SSPM, up from just 17% the previous year. An additional 36% said they planned on using an SSPM within the next year by September 2024.

Clearly, companies are starting to recognize the value of the data they are storing in the cloud, and are taking measures to prevent breaches from their applications.

CSPM and SSPM are two complementary solutions, with each one protecting a different piece of a company’s cloud assets.

For more on the interplay between SSPMs and CSPMs, check out this announcement from Wiz and Adaptive Shield

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.