SSPM Solving the SaaS Security Challenge of “Too Much to Do, Too Little Time”

Adaptive Shield Team

“How many people do you know that clean their house once a quarter? …you have to keep a certain level of hygiene both in your house and your SaaS stack.”

Uttered by our CEO, Maor Bin, in a webinar with Omdia Senior Principal Analyst, Rik Turner about the growing need to take a proactive, automated approach to SaaS security. Here are some highlights from the webinar – catch the whole webinar in full here.

Rik Turner begins the webinar by reflecting on the emergence of SaaS apps in the early 1990s leading up to 2010. “The world of SaaS apps grew rapidly and for good reason,” Rik explains, “SaaS is so easy that once you’ve adopted it, someone in the next business unit comes and says ‘oh you guys are using that? That looks great’ and next thing you know half the company is using something that nobody in IT even sanctioned.” Security teams need control and visibility to all the configurations of the company’s SaaS apps in use.

By 2014, Cloud Access Security Broker (CASB) had reared its head as a powerful cloud security solution to address the above mentioned issue. CASBs proved effective in helping restore visibility to the IT and security teams, however, as a reactive solution, there was still no preemptive approach for giving visibility to all the (mis)configurations across the growing SaaS app stack. It wasn’t long after that Gartner brought SSPM into the playing field with its SaaS specific security solution.

An SSPM’s job is to maintain continuous hygiene across a SaaS stack by continuously monitoring all the SaaS security risks and automatically identifying if all the native security controls are correctly configured. By doing so, SSPM offers businesses a preventative SaaS security solution.

The webinar pulls findings from the 2022 SaaS Security Survey Report to demonstrate the current state and perception of SSPM. Rik Turner highlights the significant correlation between SaaS misconfigurations and security incidents, showing that up to 63% of security incidents are caused by a SaaS misconfiguration.

how many companies experienced a security incident due to a SaaS misconfiguration
Figure 1. Companies that experienced a security incident due to a SaaS misconfiguration

“This kind of datapoint isn’t very surprising. We are always talking about how configurations are the number one attack vectors. They’re the number one threat for companies when we’re talking about cloud security. These small mistakes can lead to very, very serious problems – account takeover, data leakage, and more,” asserts Bin.

SaaS apps have changed the way security and IT teams think about security. Gone are the days of security teams being experts on every company program or system. It becomes impossible for security teams to be familiar with the in and outs of every SaaS app. The fact of the matter is that while companies have quickly implemented new SaaS apps, they have lagged behind when growing their security teams and tools. There is a reported 81% increase in SaaS apps but only a 73% increase in security tools and a lesser 55% increase in security staff. This is causing security teams to be overburdened which in turn creates a cycle of companies leaving themselves exposed.

Buisnesses' investments in SaaS apps, security tools, and security staff
Figure 2. Businesses’ investments in SaaS apps, security tools, and security staff

Simply put, security teams today don’t have the capacity to manually configure every SaaS setting in an effective way. Nearly half of the security teams today attempting to do so are only checking their SaaS security settings monthly or less often — 15% are checking quarterly.

Meanwhile as Rik Turner points out, companies that have embraced SSPM have provided security teams with deep visibility into their SaaS stack security allowing them to deal with the misconfiguration threats.‍

Time is takes companies with SSPM vs. without SSPM to detect and remediate misconfigurations
Figure 3. Time is takes companies with SSPM vs. without SSPM to detect and remediate misconfigurations

Businesses and organizations are inseparable from the use of their SaaS apps. Bin and Turner address these issues and more in the full webinar, giving further insight to how the world of SaaS is growing and how SSPM is taking a proactive approach to securing businesses’ SaaS stacks.

“As these numbers show, once you introduce an SSPM, it dramatically improves an organization’s ability to detect and remediate these misconfigurations.” Turner.

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.