Why SaaS Security is So Hard

May 31, 2021

It’s never quiet in the era of cybercrime — and becoming the more common vector for bad actors and infiltration is within the company’s SaaS security posture.

With the SaaS market growing at 30% per year and with Deloitte and others predicting that post-covid, the SaaS model will be even more widespread, it is safe to say that SaaS configuration weakness will be all the more exploited. One only has to consider the typical employee, untrained in security measures, and how their access or privileges increase the risk of sensitive data being stolen, exposed, or compromised. SaaS Security Posture Management (SSPM), as defined by Gartner, is critical to the security of today’s enterprise.

I like to refer to this as the BIG misunderstanding. Many don’t realize that there are two sides to securing company SaaS apps. While SaaS providers build in a host of security features designed to protect company and user data, it is ultimately beyond their control. Just as in any other part of the network, the IT or security team are the ones responsible for protecting and managing the data, configurations, user roles and privileges, regardless of their location.

SaaS Security Challenges’ Rundown

For enterprise organizations, ensuring that all the SaaS apps are configured properly and have the correct user roles and privileges is not only a never-ending, time-consuming endeavor, but an impossible one.

Here is a rundown of the main issues security teams face that make SaaS security complex, laborious and just...hard.

  • Dynamic and ever-changing: The SaaS environment is dynamic and continually updating. As employees are added or removed and new apps onboarded, permissions and configuration must be reset, changed, and updated. In addition, there are continuous, compliance updates and security configurations to meet industry standards and best practices (NIST, MITRE, etc.),  and security teams need to continuously ensure that all the configurations are enforced company-wide, no exceptions. With a typical enterprise having on average 288 SaaS applications, this presents hours of continuous work and effort and is just not sustainable.

  • Each app is a world unto itself: Each SaaS application has its own security configurations for compliance, like which files can be shared, whether MFA is required, whether recording is allowed in video conferencing, and more. The security team has to learn each application’s specific set of rules and configurations and ensure they are compliant with their company’s policies. As they are not the ones using the apps on a daily basis, they are rarely familiar with the settings, making it even harder to optimize the configuration.

  • Configuration management overload: The amount of apps, configurations, user roles and privileges for an organization to manage and monitor is only growing with every onboarded app. If you break it down into numbers: a typical enterprise has hundreds of SaaS apps. Each app has up to hundreds of global settings, not to mention an enterprise that can have thousands to tens (even hundreds) of thousands of employees. This requires a security team to learn hundreds of app setups and monitor thousands of settings and tens of thousands of user roles and privileges — quite an impossible and unsustainable scenario.
  • No clear visibility or direct management: Most SaaS apps are purchased and implemented in the departments that most utilize them, for example, an automation SaaS solution sits in marketing and CRM with sales. These SaaS apps hold critical data on the company’s clientele and business projects. Often the SaaS owners are not security-trained or vigilant in the continuous needs of configuration and posture. The security team ends up being in the dark about the security protocols in place -- and more importantly, do not have eyes on the exposure or risk.

  • The human impact: Beyond the owner or admin of the SaaS app, are the employees that use it. Employees often have access or privileges that could leave a company exposed, on purpose or by accident. For example, and it’s one that’s happened to most of us, an email is sent when a name autofills or is mistyped, which may cause an old email address, the wrong name or group, or even an external user to gain access to the sensitive content. Depending on the sensitivity of the data, this “accidental share” has now left the company exposed. Between accidental shares or changing a folder “public” so that the data can be retrieved by anyone and more, it’s clear employees’ use of a SaaS app should be configured correctly as well as monitored.
  • Hackers keep coming: Hacking techniques continue to get more sophisticated, yet when it comes to infiltrating SaaS apps, it’s often too simple. Bad actors are continuously looking for vulnerabilities to exploit to infiltrate a business. Some have even gone as far as to say that hackers are no longer hacking in but logging in. The dynamic nature of the security environment and the growing risks place even more responsibility in the hands of security teams that are already buckling under existing pressures.  

Preventing SaaS Security Posture Problems

Organizations vulnerable to SaaS security configuration weakness can now turn to solutions that automate their SaaS security posture.

As Gartner’s own Tom Croll asserts in 3 Steps to Gartner’s SaaS Security Framework (Dec 2020):

“Increasingly, business-critical data is being processed by applications that exist entirely outside the corporate network, making traditional controls ineffective. New controls are needed to address these new realities.

SSPM tools allow enhanced controls to further protect data stored in the most commonly used SaaS applications. Core capabilities include monitoring the configuration of native SaaS security settings, reporting non-compliance and auto-remediating violations to maintain alignment with multiple compliance frameworks.”

There are many solutions in cloud security, yet it’s only the SSPM solution that assesses the company’s SaaS security posture in a customized and automated manner, tailored to the specifications of each application and company policy. And it's not a one-time assessment; it is a continuous process that monitors and reinforces the company’s SaaS security.

The right SSPM solution, like Adaptive Shield, can provide deep visibility and remediation for potential vulnerabilities in a company’s SaaS security posture, from misconfigurations and misappropriated privileges to suspicious SaaS usage. SSPMs are built to streamline and improve the security team’s efficiency, reducing their workload and stress, while increasing protection for the company against any potential exposure or breach.

This was first published in Security Boulevard on March 12, 2021.

About the writer

Maor Bin
CEO & Co-Founder
Why SaaS Security is So Hard
A former cybersecurity intelligence officer in the IDF, Maor has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield. Oh and he is a globally-ranked chess player.
GDPR Compliant
ISO 27001 Compliant
ISO 27001 Certified
ISO 27701 Certified
SOC 2 Compliant
Cyber GRX