When It Comes to SaaS Security, Ignorance is Not Bliss for Corporate Leadership

Written by Brendan O’Connor, CEO and Co-Founder of AppOmni

Organizations are increasingly moving their data to SaaS platforms. But while companies are racing to adopt SaaS, many haven’t yet put the tools and processes in place to protect their SaaS data, leaving it vulnerable in the cloud. It’s counterintuitive, given that IBM/Ponemon report the average cost of a data breach rose to $4.24M in 2021, in part driven by increasingly remote workforces. By understanding the causes of SaaS risk, businesses can safeguard operations.

AppOmni’s research has revealed that 95 percent of companies have external SaaS users – that is, non-employee users like partners, customers, and contractors – who are over provisioned and have access to sensitive data intended only for internal access. An even more worrisome statistic is that 55 percent of companies we analyzed have sensitive SaaS data that has inadvertently been exposed to the anonymous internet with no username or password required for access.

A Threefold Problem

1. SaaS platforms have evolved, but most security tools haven’t

Relatively simple applications from just a few years ago are now complex platforms. Today’s SaaS environments house massive amounts of business-critical data that’s accessed by users with varying levels of permissions: employees, contractors, partners, customers, and numerous API integrations and connected third-party apps.

While CASBs are often the go-to solution to secure SaaS, most focus only on users accessing SaaS through corporate networks. That means other access points—like APIs, third-party connections, and external user portals—remain unprotected, even invisible to security teams.

Another commonly used protective strategy, periodic pentests to assess SaaS security, also falls short. That’s because normal business operations—adding and removing users; connecting new third-party applications to the platform; and pushing software updates released by vendors—mean that SaaS environments are constantly changing. As a result, the point-in-time view pentests provide isn’t enough, which can leave SaaS vulnerable.

2. SaaS is prone to misconfiguration and configuration drift

Large enterprises often rely on dozens—if not hundreds—of active cloud and SaaS apps. Yet there’s no standardized security across SaaS app settings. This puts security teams at a huge disadvantage. Without understanding the nuances of every application, misconfiguration is impossible to avoid.

Most teams don’t have the resources to continually monitor permission updates, API access changes, or new vendor releases for every SaaS app in use. When you think about the scale of this challenge being hundreds or thousands of users across dozens of SaaS apps, it’s easy to see how configuration drift occurs over time. It’s clear that this shouldn’t be a task done manually. Companies need to embrace automated solutions to help.

3. The more third-party apps, the more expansive the risk

AppOmni’s data shows that there are an average of 42 distinct third-party applications

connecting into live SaaS environments within an enterprise. As that number of connected apps increases, so does both the risk and the attack surface.

Many of those 42 third-party apps can sit dormant for six-plus months—yet still have access to sensitive business data. And they are often installed by individual end users. This presents a worrisome reality: Security and IT teams can’t protect what they don’t know exists.

Three Actions to Regain Control and Secure the Enterprise

Despite the multitude of challenges, leaders can take steps to safeguard their organization.

1. Recognize the SaaS shared responsibility model

Believing that SaaS vendors are wholly responsible for SaaS security is a misconception that can be costly. Rather, security is a shared responsibility between vendor and client. Yes, Salesforce and Microsoft must offer secure products and services. But the responsibility of configuring, managing, and using apps responsibly lies with the customer.

2. Assign ownership of SaaS security

While SaaS is a major part of the IT stack, many organizations haven’t defined clear ownership of SaaS security. To minimize risk, businesses need to identify responsibility, including ownership, scope, processes, budget, and goals.

3. Accept complexity, embrace automation, and invest in security

As technology evolves, the volume and complexity of SaaS applications will naturally increase. Manual maintenance of constantly changing security settings and configurations across dozens or hundreds of SaaS platforms is an impossible task for security teams.

To protect SaaS environments, businesses need automated tools and processes that:

• Align with evolving SaaS security best practices
• Ensure security settings match business intent
• Manage data access through the network and across all access points
• Maintain visibility to third-party connected apps and their access to SaaS data
• Continuously monitor configurations, permissions, and updates to prevent configuration drift

Today’s SaaS platforms are powerful, complex, and dynamic. As sensitive data moves to the cloud, organizations must take the necessary steps to ensure that it remains secure.

About the Author

Brendan O'Connor is the CEO and co-founder of AppOmni. Prior to AppOmni, Brendan served as CSO at Salesforce and Security CTO at ServiceNow. He is a 20-year veteran of the security industry and is passionate about securing the SaaS applications that power businesses and enterprises. Brendan's past experience includes roles as a vulnerability researcher, security engineer, and privacy advocate. He has also worked in the Financial Services and Communications sectors.