The Emerging Focus on SaaS Security

By Erik Linask, Group Editorial Director  |  June 05, 2023

Over the past decade, SaaS (News - Alert) applications have entirely transformed how businesses operate.  They offer an alternative to traditional on-premises software, with easier scalability, lower up-front costs, convenient access, and a lower IT department strain. 

The adoption and use of SaaS applications have grown rapidly in recent years, becoming integral components of modern business operations.  A variety of functions and business processes have been modernized thanks to SaaS alternatives to legacy software models, including CRM, sales and marketing, communication, and others.  Of course, this evolution has been amplified by the recent shift towards remote work, where SaaS plays a fundamental role in enabling productivity.

The global SaaS market was worth about $3 trillion a year ago, according to McKinsey, which projected it could grow to as much as $10 trillion by 2030

It’s not surprising that nearly every business uses at least one SaaS application today, but what’s more telling is that the average business uses a staggering 130 SaaS applications.  Naturally, the larger the company, the more SaaS applications they tend to use – and, similarly, the longer a company uses SaaS applications, the more their usage grows.  Both are logical progressions considering the benefits companies gain from moving to SaaS and support projections that the market is on an extended growth trajectory.

One of the three core categories of cloud computing (along with PaaS and IaaS), the SaaS model eliminates the need for physical installations or additional hardware, since application maintenance and updates are managed by the service provider in the cloud, easing the workload on often overburdened IT teams. The SaaS model is subscription-based, meaning companies pay for what they use, when they use it, helping reduce costs.  That, along with accessibility, flexibility, and scalability, makes SaaS an attractive choice for businesses.

But, as do most modern technologies, this growing reliance on SaaS applications also presents new security challenges.  Organizations are now finding their critical data residing outside the traditionally controlled network perimeter, stored in the cloud and accessed over the internet.  This dispersion of data increases the attack surface for potential cyber threats, prompting the newfound emphasis on SaaS security.

At the same time, cyber threats have become more sophisticated and frequent, and some hacker groups are specifically targeting vulnerabilities in SaaS applications, increasing risk from a number of threat types, including data breaches, account hijacking, malware and ransomware attacks, and inside threats.  The potential damage from these various threats can be extensive and multi-faceted.  They pose serious risks not only to the confidentiality, integrity, and availability of data, but also to the business continuity and reputation of organizations – both the SaaS application providers and their customers.  There’s also the risk of a domino effect, where a breach of one application could provide cyber criminals access to other application vendors’ systems.

It’s not just a theory – this is happening.  The Cloud Security Alliance just released it new report on SaaS security, noting that 55% of organizations say they experienced a SaaS security incident in the past two years, with another 12% unsure (it’s a safe bet at least half of them have as well).

The incidents include:

  • Data leakage (58%)
  • Malicious apps (47%)
  • Data breaches (41%)
  • SaaS ransomware (40%)
  • Corporate espionage (32%)
  • Insider attacks (11%)

“Many recent breaches and data leaks have been tied back to SaaS apps,” said Hillary Baron, lead author and Senior Technical Director for Research, Cloud Security Alliance.  “This explains why 71% of respondents are prioritizing their investment in security tools for SaaS.”

The fact that companies are taking the threat seriously is a positive sign.   Most notably, many are turning to SaaS Security Posture Management (SSPM) as a means of securing their entire SaaS stacks.  According to CSA, 80% of companies are already using SSPM or plan to by the end of next year.  Just a year ago, only 17% of companies were using SSPM.

“The attack surface in the SaaS ecosystem is widening, and just as you would secure a cloud infrastructure with Cloud Security Posture Management, organizations should secure their SaaS data and prioritize SaaS security,” says Maor Bin, CEO and co-founder of Adaptive Shield, which commissioned the study.

One of the key drivers of additional investment in SaaS security is the fact that current solutions don’t cover the entire breadth of their SaaS applications.  More specifically, 58% of organizations estimate their current SaaS security solutions only cover 50% or less of their SaaS applications.  At the same time, two-thirds of businesses have increased their SaaS usage.  Based on the lack of coverage with existing security solutions, that creates a growing threat surface that isn’t protected – thus the increased focus on SSPM.

SSPM solutions provide coverage in areas where other methods and strategies have fallen short, offering more comprehensive protection against various security risks throughout the whole SaaS Security Ecosystem.  They are designed to help organizations maintain tighter control over their SaaS environments by providing visibility into SaaS assets, detect misconfigurations, identify security risks, and enforce security policies.  As SaaS usage continues to rise and a company’s SaaS environment becomes increasingly complex, SSPM almost becomes a necessity not only reduce risk, but also the burden in IT teams.

In addition to investing in SSPM solutions, there are other logical steps companies should take to secure their SaaS apps:

Data encryption – This ensures that even if data is intercepted, it remains unreadable and therefore useless to unauthorized parties.

Strong access controls – Ensure only authorized individuals can access sensitive data.  This includes practices like role-based access control (RBAC), where users are only given access to the information they need to perform their roles.

Multi-factor authentication (MFA (News - Alert)) – MFA adds an extra layer of security by requiring users to provide two or more or factors to authenticate their identities. 

Regular security audits – Conduct regular security audits to identify vulnerabilities and address them before they can be exploited.

Employee training – One of the biggest threats to security, in general, is human error.  Regularly train employees on best security practices, how to identify phishing attempts, the importance of using strong, unique passwords, and other security best practices.

Vendor assessment – Conduct thorough assessments of any vendors you’re considering and their security policies and infrastructure.  Look for vendors who follow best practices and have proven, robust security measures in place.

Incident response planning – Most people will tell you security incidents aren’t an “if,” they’re a “when.”  Have a plan in place for responding to security incidents when they inevitably occur.  Your plan should outline steps for containing the incident, eradicating the threat, recovering from the incident, and communicating about the incident both internally and externally.

Remember, securing SaaS applications requires a proactive and ongoing effort.  It's not enough to set up security measures and then forget about them.  Cyber criminals are constantly evolving their strategies, making regular monitoring and updating crucial for maintaining a strong security posture.

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]