CSA Official Press Release
Published 04/12/2022
New Cloud Security Alliance Survey Finds SaaS Misconfigurations May Be Responsible for Up to 63 Percent of Security Incidents
Proper visibility into SaaS security application settings and automated tools can mitigate risk
SEATTLE – April 12, 2022 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released the findings of its latest survey, 2022 SaaS Security Survey Report. Commissioned by Adaptive Shield, a leading SaaS Security Posture Management (SSPM) company, the survey offers insight into the industry’s knowledge, attitudes, and opinions regarding SaaS security and related misconfigurations.
“Many recent breaches and data leaks have been tied back to misconfigurations. Whereas most research related to misconfigurations has focused strictly on the IaaS layers and entirely ignores the SaaS stack, SaaS security and misconfigurations are equally, if not more, important when it comes to an organization's overall security. We wanted to gain a deeper understanding of the use of SaaS applications, how security assessments are conducted and the overall awareness of tools that can be used to secure SaaS applications," said Hillary Baron, lead author and research analyst, Cloud Security Alliance.
“This survey shines a light on what CISOs and cybersecurity managers are looking for and need when it comes to securing their SaaS stack — from visibility, continuous monitoring and remediation to other ever-growing, critical use cases such as 3rd party application control and device posture monitoring,” asserts Maor Bin, CEO and co-founder of Adaptive Shield. “The SSPM market is maturing rapidly — and this type of zero-trust approach for SaaS is where the SSPM market is going.”
Among the survey’s key findings:
- SaaS misconfigurations are leading to security incidents. At least 43 percent of organizations report that they have dealt with one or more security incidents because of a SaaS misconfiguration.
- The leading causes of SaaS misconfigurations are lack of visibility into changes into the SaaS security settings (34%) and too many departments with access to SaaS security settings (35%).
- Investment in business-critical SaaS applications is outpacing SaaS security tools and staff. Over the past year, 81 percent of organizations have increased their investment in business-critical SaaS applications, but fewer organizations reported increasing their investment in security tools (73%) and staff (55%) for SaaS security.
- Manually detecting and remediating SaaS misconfigurations is leaving organizations exposed. Nearly half (46%) can only check monthly or less frequently, and another 5 percent don’t check at all, meaning that misconfigurations could go undetected for a month or longer.
- The use of an SSPM reduces the timeline to detect and remediate SaaS misconfigurations. Organizations that use an SSPM can detect and remediate their SaaS misconfigurations significantly quicker — 78 percent checked their SaaS security configurations weekly or more, compared to those not utilizing an SSPM, where only 45 percent were able to check at least weekly.
The survey, which was conducted with Adaptive Shield, gathered 340 responses from IT and security professionals from various organization sizes, industries, locations, and roles. Sponsors are CSA Corporate Members who support the research project’s findings but have no added influence on the content development or editing rights of CSA research.
About Adaptive Shield
Adaptive Shield, the leading SaaS Security Posture Management (SSPM) company, enables security teams to see and fix configuration weaknesses quickly in their SaaS environment, ensuring compliance with company and industry standards. Adaptive Shield works with numerous Fortune 500 enterprises to help them gain control over their SaaS threat landscape. For more information, visit us at www.adaptive-shield.com or follow us on LinkedIn.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.