The 2021 SaaS Security Survey report is a deep-dive on the state of SaaS security for today’s enterprises. It looks at the top risks that security professionals identify in their organizations, how CISOs feel about the security of an ever-growing SaaS-based environment, and how this concern impacts the approach they use for protecting and managing their cloud networks.
If you’re looking for an overview of the highlights of the report - you’re in the right place! Here are the key takeaways from this essential study, providing first-hand guidance and insight from 300 InfoSecurity professionals from the United States and Western Europe, in companies that range from 500 to more than 10,000 employees.
CISOs are clued into today’s greatest risks - and misconfiguration tops the list
85% of today’s enterprises are aware that SaaS misconfigurations are a risk to their organization. This comes in at #3 in the list of cloud risks, after account hijacking and data leakage. Interestingly, many of the other risks that are on the list of threats can also arise due to misconfigurations, such as inadequate legacy protocols, insufficient identity checks, poor access controls for roles and credentials, or risky key management practices.
For example, if you don’t adequately govern information sharing with third-party SaaS providers, you could be opening yourself up to account hijacking. Similarly, a security misconfiguration in Jira led to data leakage for many Fortune 500 companies, including potentially disclosing email addresses and IDs, employee roles, current projects and milestones, and more.
If you factor in these cross-threats, where organizations admit they are worried about the “high risk” of insider threats, insufficient identity management, insecure APIs, and more - all of which can arise from misconfigurations, you can see how large the risk of SaaS misconfigurations really is.
The more apps organizations have, the less they check for security misconfigurations
The global SaaS market is estimated to continue to grow at a CAGR of more than 11% until 2025, with enterprises continuing to look for the benefits of fast time to market, subscription-based pricing, third-party expertise, and an interconnected ecosystem of best-of-breed players.
As organizations continue to onboard more applications, perhaps not enough thought is being placed on checking their corresponding security posture, which evolves every time a new SaaS application gains permissions and access to data, and every time this application updates.
91% of companies are checking the settings of their security applications at least quarterly, recognizing that configuration management is an important undertaking. Each application has its own interface, settings, permissions and data privileges, and these need a tight rein to ensure there aren’t glitches, configuration drift, or changes to employee access to consider.
However, the data uncovered that the more SaaS applications a company has under their roof, the less checks they will achieve. When a company has between 50-99 applications, just 12% of security teams manage to check permissions and configuration on a weekly basis. 40% of these companies are relying on quarterly checks, despite an agile working pipeline suggesting each of their apps will be updated every few weeks. In contrast, with under 10 apps to handle, the percentage of CISOs making weekly checks jumps to 35%.
This doesn’t change depending on how concerned the CISO in charge is about the security of their apps. Even when a CISO is worried about the security posture of between 75%-90% of their SaaS applications, if they have more than 50 apps to manage- they still fail to check them weekly more than 24% of the time.
The current best-case scenario is for CISOs that have confidence over the security of more than 90% of their apps, and even then - only 47% are managing to check them on a weekly basis. Overall, just 3% of companies check their SaaS applications for weaknesses and misconfigurations on a daily basis. A real-time view of all risks is simply out of reach for the majority of today’s enterprises.
The responsibility for securing SaaS applications is regularly delegated to the SaaS owner
It’s clear that regular checks of security settings for an ever-growing portfolio of SaaS applications is an impossible task. Security teams can’t stay on top of every new SaaS application, including how to navigate the settings, get comfortable with the UI, and understand its usage across the company.
Because of the scope of this challenge, we saw that respondents are regularly putting responsibility for checking and maintaining SaaS security into the hands of the SaaS owner. Unfortunately, these stakeholders often have little to no security background or skills, and may be Marketing managers, Product owners, or Sales personnel, to name just a few. This reality is happening in more than half of companies. The smaller the company size, the more of a problem this is, with less resources in place for security teams to take ownership over SaaS configuration and management.
According to Gartner, 99% of cloud security failures and the associated consequences are the customer’s fault. This tends to be understood as a concept related to the Shared Responsibility model. While your cloud provider will be held responsible for the underlying infrastructure of the cloud, your company holds full responsibility for applications, data, and settings of any information in the cloud.
While organizations might think they have outsourced security to their SaaS vendor, in reality the vendor can only offer security settings that work in a silo, targeted to their own product. With the best will in the world, they can’t take any ownership over the security of a multi-layered, complex environment that spans hundreds of applications and unknown quantities.
Gartner suggests that companies ask themselves, “Am I using the cloud securely?” rather than “Is the cloud secure?” In short - your cloud environment is only as secure as how you manage it.
The risk of human error is greater than ever in today’s enterprise environment
With this fact in mind, the fact that more than half of today’s enterprises are delegating security process and management to the less-trained SaaS owner is problematic. If you consider that the area that they are delegating is what CISOs themselves call the highest cloud risk in their network, it becomes nothing less than negligent.
The report also uncovered that there is regularly an overlap in responsibility, where multiple stakeholders have access to the SaaS app settings. For example, the Security teams may have access, and perhaps they take overall responsibility for the security of the settings, but they also allow department heads to access and make changes to these apps, presumably for ease of use or quick changes. An example of this could be Marketing team leads holding control over the HubSpot account, or Sales owners being able to make changes in Salesforce. One out of four companies are currently working in this way, making it even more difficult for Security teams to stay on top of the challenge.
Human error is the single biggest risk to organizations who are working on the cloud. However, what we’ve seen about CISO’s level of concern suggests that security professionals already know that they need to make a change.
To summarize, with up to date insight from the report, we can isolate the greatest risks:
- Security misconfigurations are a CISOs greatest fear.
- With a growing number of apps, security teams can’t keep up.
- Delegation of security leads to a greater risk of human error.
SSPM has become the organization's top priority for 2021
A new category of security tools is emerging to deal with these risks. As SaaS becomes the default system of record for organizations, SaaS Security Posture Management (SSPM) has been touted by Gartner amongst other technologies in its most recent hype cycle. These are defined by the analyst as “tools that continuously access the security risk, and manage the security posture of SaaS applications.”
Common tasks that SSPM tools take on, in order to continuously assess risk and identify misconfigurations across the SaaS estate, include:
- Visibility: Continuously assessing security of all SaaS applications across multiple ecosystems. Aggregating and normalizing the view of security settings into a single dashboard.
- Detection: Intelligently isolating risks in areas such as access sharing, file permissions, data encryption, user roles and privileges, keys and credentials, and third-party add-ons.
- Remediation: Seamlessly providing the step by step remediation for each issue, sent directly to the right SaaS owner to provide the missing link of in-depth security knowledge into the right hands.
As CSPM and CASB tools fail to address the challenges of a SaaS environment, SSPM has risen to the top of the enterprise agenda, and is the top pick in terms of priorities in 2021. 48% of respondents named SSPM tools as the #1 item on their priority list.
An emerging technology, just 8% are already using SSPM technology in their environment, which explains why so many are failing to check their applications in line with their growing concerns. However, 55% have SSPM on their radar, and only the remaining 37% aren’t currently planning to use this technology.
If you want to read the full report, just click here.